XCon2016 A technical exchange platform for 15 years.

XCon XFocus Information Security Conference

AHaving certain influence in the world, XCon Information Security Conference is one of the largest and most authoritative and famous information security conferences in China. For more than a decade, XCon has been upholding its rigorous work style and inviting the information security experts and fans, network security consultants from abroad and home. XCon commits to create a friendly, harmonious platform for communication.

Every summer XCon will come in time and meet you in Beijing--the capital of China. There will be hundreds of information security experts, scholars, researchers and related professionals come from different countries invited to present and give speeches. The meeting covers everything and new fields’ information security technologies. If you have new technologies, new discoveries or successful experiences in some fields and welcome to share with us!

We are only the feasts of technologies. You should be here!

Sending your papers to cfp@huayongxingan.com Registration,

XCon2016 Call For Paper

XCon2016 Last News

XCon2016 Venue:NUO Hotel Beijing

Date:2016-8-29/30

Call For Paper: XCon2016 Call For Paper

feature img

XCon2016 Agenda

2016-8-29 Mon. 1st day
TimeSpeakerPresentation
08:30 - 09:30XCon2016 Registration
09:30 - 09:40Beginning Speech
09:40 - 10:40Jason ShirkWhat it takes to make the Top 100
10:40 - 11:40Tao WeiEcosystem Vulnerability
11:40 - 13:30Lunch
13:30 - 14:30Bing Sun/Chong XuJIT Spraying never dies - Bypass CFG by leveraging WARP Shader JIT Spraying
14:30 - 15:30Peter HlavatyIce Age melting down: Intel feat considering usefully
15:30 - 16:00Coffee Break
16:00 - 17:00Hongwei JiangFlash Player Fuzzing
17:00 - 18:00Chuanwen ChenSecurity of mobile application communication
2016-8-30 Tue. 2st day
09:30 - 10:30Guanxing WenLeverage one-shot UAF to a Minigun
10:30 - 11:30nEINEIAdvanced Exploitation Technology: Breaking AV-Emulator
11:30 - 13:30Lunch
13:30 - 14:30EsoulIntroduction to Information Security Risk of SRAM-based FPGA
14:30 - 15:30Kang wuWebshell Detection Based On Script Virtual Machine
15:30 - 16:00Coffee Break
16:00 - 17:00 Security Forum
17:00 - 17:10 Closing Speech
feature img

XCon2016:NUO Hotel Beijing

Surround yourself with style and serenity at NUO Hotel Beijing, one of the newest and most luxurious hotels in China's capital. Inspired by the cultural and artistic achievements of the Ming Dynasty, NUO mixes business with pleasure and art with technology and sustainability. NUO, the Chinese word for promise, is proud to pioneer the future of Chinese luxury hospitality.

NUO Hotel Beijing: 2A Jiangtai Road, Chaoyang District, Beijing 100016 P.R. China

Tel:+86 10 5926 8888

Sponsorship

Diamond Sponsor:
Gold Sponsor:
Silver Sponsor:

Speakers

Tao Wei

Dr. Tao Wei, Chief Security Scientist of Baidu Inc. and the co-organizer of UC Berkeley BitBlaze group. For the past 20 years, he has conducted research on many seri try areas and published papers on top-tier academic/industry security conferences. Now his research is focusing on mobile security architecture, Internet financial security, threat intelligence and machine learning.

Ecosystem Vulnerability

Ecosystem Vulnerability is a continuous vulnerable status of a software/internet ecosystem. In this talk, we will discuss different kinds of ecosystem vulnerabilities, their root causes, and how to mitigate them.

Trayvon Chen

Master of computer application technology, Bachelor of information security, Wuhan University. After graduation, he worked for Alibaba over 9 years, engaged in application development, core system development and server architecture design. He is a core member of the open source webserver project "Tengine", and has rich experience for SSL/TLS in both engineering and research. Now, he is a senior security researcher in Antiy, responsible for the mobile application vulnerability research work.

Security of mobile application communication

There are various implementations of communications in mobile applications, and most of them are not secure. Many developers even do not know how to write secure communication codes for their applications except a few senior ones who really care about security. In this topic, I will discuss the common implementations, analyze whether they will cause risks, and how to mitigate the risks. Particularly, this topic will cover most cases in HTTPS on both client and server. Last but not least, the topic will discuss how to custom your own secure protocols, which meet the different levels of security requirements. There are also specific examples for each part to help the audiences understand the contents.

Peter Hlavaty

Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, member of GeeKon committee and GeekPwn judge, occasionally CTF player. Besides software security field, doing his best as wushu player as well.

Ice Age melting down: Intel feat considering usefully

Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.

Esoul

esoul is from Antiy Labs. His technical interests include computer and peripheral hardware security, ICS security, embedded system and IoT, etc. He is a geek obsessed with technology and his work and hobbies are both hardware DIY and hack. He and his team have presented their work many times in XCon.

Introduction to Information Security Risk of SRAM-based FPGA

Driven by the need for gene sequencing, large data analysis, machine learning applications, and the development of microelectronics technology, FPGA is gradually changing from a dedicated electronic device to a general information processing computing tool. Due to its unique technical characteristics, FPGA shows great advantage and potential in high performance computing, but it also faces the unique challenges of information security. This report presents the preliminary thinking and experimental exploration of the research team on the related issues. The technical characteristics and development flow of FPGA will be described briefly, and the potential security risks of closed hardware architecture and closed source tool chain will be analyzed. A simple example will demonstrate the threat of information disclosure.

Jason Shirk

Jason Shirk is a Principal Security Strategist at Microsoft and runs their Bug Bounty Program (aka.ms/bugbounty). He has spent a number of years in both the software security & user data privacy spaces with roles from owning Microsoft’s Fuzzing Strategy and toolkit to the Security Architect for Bing, penetration test and endpoint security at Bell Labs/Avaya, to now driving overall Security Ecosystem Strategy for Microsoft.  Jason speaks regularly at external Security & Privacy conferences, as well as advising program owners across Microsoft and the industry on the evolving nature of building secure software, with user privacy in the forefront.

What it takes to make the Top 100

Bug Bounty continues to be in the news,  and new security research comes up regularly.  For the last 2 years, Microsoft has published the MSRC Top 100 researchers.  This talk will dive into how the rankings are calculated, how they change across time, and what it takes to make the Top 100.  Beyond bug bounty though, Microsoft uses the vulnerabilities, mitigation bypasses, and other security research to make meaningful changes to our software.  Jason will be discussing some of the research presented at BlackHat by David Weston and Matt Miller on hardening Window 10.  Finally, Jason will discuss the latest Microsoft bounty, areas for researchers to focus, and how bounty targets are selected.

Chong Xu

Chong received his Ph.D. degree in networking and security from Duke University. His current focus includes research and innovation on intrusion and prevention techniques as well as threat intelligence. He is a senior director of Intel Security IPS team, which leads Intel Security vulnerability research, malware and APT detection, and botnet detection and feeds security content and innovative protection solutions into Intel Security’s network IPS, host IPS, and sandbox products, as well as McAfee Global Threat Intelligence (GTI).

JIT Spraying never dies - Bypass CFG by leveraging WARP Shader JIT Spraying

Many scripting languages, such as JavaScript and ActionScript, use Just-In-Time (JIT) compilation to improve the script execution performance. However, under some circumstances, the legit JIT mechanism can be leveraged by the exploit to bypass memory protection and mitigation such as ASLR and DEP. Such exploitation technique was first introduced as "JIT Spraying" in 2010. The idea is to use the constant numeric value in high-level script language to generate the desired JITed code at predictable locations. With the JIT spraying as a reliable exploitation technique seeing its popularity, vendors started to revisit the JIT engine implementation. Since then, mitigation countermeasures, such as randomizing the JIT code page allocation and mutating JITed code generation, have been employed to prevent JIT spraying. Particularly, MS WARP Shader JIT engine, which we will exploit in this talk, has security mechanisms such as Shader complexity, JIT cache size limit, separation between the constant data and code. As a result, the JIT spraying technique became less effective in most exploitation scenarios. Nevertheless, JIT Spraying technique has never died, even in the most secure Windows 10 era. In this talk, we will present a completely different JIT spraying exploitation technique (based on MS WARP JIT) to bypass control flow guard (CFG) in the context of browser in a generic way. This presentation provides details on how to circumvent the MS WARP JIT restrictions and achieve reliable CFG bypass. At the end, a live demo will be given to demonstrate bypassing CFG on IE11 and Edge of Windows 10.

Bing Sun

Bing Sun is a senior information security researcher, and now he is leading the IPS security research team of Intel Security Group (formerly McAfee). He has extensive experiences in operating system kernel and information security technique R&D, with especially deep diving in advanced vulnerability exploitation and detection, Rootkits detection, firmware security and virtualization technology. Moreover, Bing is also a regular speaker at international security conference, such as XCon, Black Hat and CanSecWest.

JIT Spraying never dies - Bypass CFG by leveraging WARP Shader JIT Spraying

Many scripting languages, such as JavaScript and ActionScript, use Just-In-Time (JIT) compilation to improve the script execution performance. However, under some circumstances, the legit JIT mechanism can be leveraged by the exploit to bypass memory protection and mitigation such as ASLR and DEP. Such exploitation technique was first introduced as "JIT Spraying" in 2010. The idea is to use the constant numeric value in high-level script language to generate the desired JITed code at predictable locations. With the JIT spraying as a reliable exploitation technique seeing its popularity, vendors started to revisit the JIT engine implementation. Since then, mitigation countermeasures, such as randomizing the JIT code page allocation and mutating JITed code generation, have been employed to prevent JIT spraying. Particularly, MS WARP Shader JIT engine, which we will exploit in this talk, has security mechanisms such as Shader complexity, JIT cache size limit, separation between the constant data and code. As a result, the JIT spraying technique became less effective in most exploitation scenarios. Nevertheless, JIT Spraying technique has never died, even in the most secure Windows 10 era. In this talk, we will present a completely different JIT spraying exploitation technique (based on MS WARP JIT) to bypass control flow guard (CFG) in the context of browser in a generic way. This presentation provides details on how to circumvent the MS WARP JIT restrictions and achieve reliable CFG bypass. At the end, a live demo will be given to demonstrate bypassing CFG on IE11 and Edge of Windows 10.

Kang Wu(Polymorphours)

Polymorphours, Jowto Tianze lab Research Directions:Firmware, Hardware security,Web security,Kernel of windows、linux、solaris, etc . security holes :CVE-2007-5587, CVE-2012-0005 Proof of Concept:ms08-025,ms08-067 2012 xkungfoo speaker (security holes caused by misusing handle reference in windows)

Webshell Detection Based On Script Virtual Machine

Webshell can often be found in the web files, hackers use Metamorphic webshell to escape from Anti-virus software, their metamorphosis are usually more flexible than binaries , especially the one-clasue webshell. Common Method to detect webshell is based on Files’ signature, but it’s not timely to deal with Metamorphic webshell or cryptographic webshell. Webshell’s metamorphosis based on script, so why not use script virtual machine to detect them? This keynote speech will show you how to use ASP script interpreter and automatic input vector generation to detect webshell and so on, the speaker will give a demonstration after the speech.

nEINEI

nEINEI is one of the core members of ByteHero team, he is a security researcher of Intel Security. One of designers of Bytehero Heuristic Detection Engine, he provided the BDV engine with Virustotal platform. He has many years of experiences on information security techniques research and be interested in advanced vulnerability exploitation and detection /Virus, Rootkit/ reverse engineering .he has spoken at security conferences such as CanSecWest2014, AVAR2012, XCon2010, XCon2013, XCon2014, XCon2015.

Advanced Exploitation Technology: Breaking AV-Emulator

AV-Emulator techniques start with polymorphism and metamorphic virus detection. Since packers tend to be popular in malware code obfuscation, most compressors or encryption packers can be unpacked by AV-Emulator. Currently, AV-Emulator technology is relatively mature, it not only simulates CPU instruction set, also aims on simulation of Hardware ,NIC, windows feature ,file system, registry system ,GUI , process ,thread, exception handlers, PE loader in order to run PE-EXE, PE dll, PE sys. To accomplish AV-Emulator bypass, we need to focus on the differences between emulator and real machine. At early stage, Bypass techniques mainly exploit on the weakness of partial-emulation, such as multi-thread, emulation timeout, parent process check etc.. Nowadays, these methods are all obsolete, next generation AV-Emulator from mainstream manufacturers have simulated these known features. On this agenda, I will discuss about the architecture and implementation of AV-Emulator. In the meanwhile, regarding emulator bypass, we are capable of bypassing all products of mainstream manufacturers. We focus on the weaknesses of AV-Emulator implementation, which is extremely difficult to be fixed in a short period of time. I will show six ways to bypass last version of kaspersky, Bitdefender, ESET,VBA32... etc. Therefore we should pay extensive attention on these problems.

Hongwei Jiang (willJ)

HONGWEI JIANG(willJ) is a security researcher on Tencent since 2013.He has spent the last seven years working in PC security, both finding security issues in PC software and improving the security of PC platforms. Outside of work, willJ enjoys applying his hacking and reverse engineering skills to unusual targets.He is actively involved in hackerspaces and is a founding member of 52Pojie, syclover in China.This year he participated in Pwn2Own 2016 and his team Tencent Security Team Sniper has successfully hacked Adobe Flash.

Flash Player Fuzzing

As a proprietary multimedia player, FlashPlayer is popular and wide used in all fields. However, FlashPlayer was disclosed with all kinds of security issues in recent years. In this presentation, I'll first introduce some FlashPlayer's attack surfaces and then demonstrate the fuzzing tools to find this kind of vulnerabilities. These tools are simple but efficient. Only change some Open source fuzzers and make some new Grammar fuzzers. Through these tools I've found 34 vulnerabilities with CVE-IDs got from Adobe Security Team and more than 60 crashes(not Null pointer) of FlashPlayer. At last,I'll show some results.

Guanxing Wen

Guanxing Wen is member of Pangu Team. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining Pangu, Wen worked as a security researcher of Venustech ADLAB. He is actively involved in Bug Bounty Program, such as ZDI, Chrome VRP and is currently the top one bug contributor of IBB-Flash Bounty (@hhj4ck).

Leverage one-shot UAF to a Minigun

Adobe Flash has become a favorite target for exploit developers since 2013. One of the most common exploitation techniques against Flash 0days, especially for Use-After-Free, is to corrupt the length field of an array-like object, which eventually leads to arbitrary memory access and then code execution. Since the Vector/ByteArray primitive is so simple and powerful that lately in 2015, Adobe has introduced mitigation into Flash with the goal of making this old method a history.Under new circumstances, gaining arbitrary memory access is not easy anymore, not to mention implementing a universal method. Unfortunately, to achieve code execution, most exploits need to read process memory, looking for buffers and ROP gadgets. This talk will introduce Use-After-Use-After-Free (UAUAF), a novel and relatively universal exploitation technique for UAF vulnerabilities in Adobe Flash. By leveraging a sequence of object occupations and releases, UAUAF can transform a UAF into a multi-class type confusion in which full memory access is gained again. More importantly, this talk will illustrate UAUAF by a real 0day that I discovered in April. Exploitation process, i.e., from discovering the 0day, gaining full memory access, chaining ROP gadgets, to the final code execution will be presented in detail.

Registration

  • Registration fee will include: Access to 2 days conference (29th -30th August), coffee breaks and lunch per day, conference souvenirs and free to be xPwn2016 audience on 31st August. (xPwn is the geek contest for smart life presented by XCon committee.)
Early bird
before 15th July
Regular registration
before 22nd August
At door
$700/per person$800/per person$900/per person
  • Please use the subject as XCon2016 Registration and send to xcon@huayongxingan.comxcon@huayongxingan.com,Subject:XCon2016 Registration
  • Please mail us your registration information and it should cover with: Last name, first name, email address, company, country, city, address and special diet (None, Vegetarian, Muslim).
  • XCon organizing committee could help you book the room of conference hotel at a better price, if you need us help please send email to us use the subject of XCon2016 Room reservation.  XCon2016 Book Room

Past Conferences

About US

AHaving certain influence in the world, XCon Information Security Conference is one of the largest and most authoritative and famous information security conferences in China. For more than a decade, XCon has been upholding its rigorous work style and inviting the information security experts and fans, network security consultants from abroad and home. XCon commits to create a friendly, harmonious platform for communication.

HuaYongXingAn (Beijing) Science Technology Co., Ltd.
www.huayongxingan.com

No. 1725 folk culture street, Gaobeidian , Chaoyang District, Beijing China

+86 10 62029792

xcon@huayongxingan.com