SpeakersSpeaker Bios & Topics
Chong Xu&nEINEI Chong Xu:Chong received his Ph.D. degree from Duke University with networking and security focus. He is currently a director leading McAfee Labs IPS team, which leads the McAfee Labs vulnerability research, malware and APT detection, and botnet detection and feeds security content and advanced detection features to McAfee’s network IPS, host IPS, and firewall products, as well as global threat intelligence.

      nEINEI:nEINEI is one of the core members of ByteHero team, he is a security researcher of McAfee Labs. One of designers of Bytehero Heuristic Detection Engine, he provided the BDV engine with Virustotal/OPSWAT platform. He has many years of experiences on Anti-virus techniques research and be interested in virus research/anti-virus engine design, vulnerability research, network attacks, reverse engineering and has spoken at security conferences such as XCon2010, XCon2013, AVAR2012, and CanSecWest2014.

Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory Information Leak.

Although both the memory exploitation and mitigation/prevention techniques evolve rapidly in recent years, the prevention still lags behind of the pace of the evolution of exploitation techniques.For example, by leveraging ROP in combination with memory information leak, an attacker can easily defeat the DEP and forced ASLR. Furthermore, some 3rd-party prevention software or toolkits such as MS EMET can provide some additional detection against ROP via API hooking. But such prevention software relies on the assumption that the meaningful shell code must call certain critical APIs. However, shell code may use some trick, such as hook hopping or using system call, to bypass the API hooks, therefore defeat API hook based detection mechanism. Winning the exploitation battle requires the new defense solutions to be effective and deployable. First, the new solution needs to be able to cover all the popular advanced memory exploitation and bypass techniques, such as ROP, memory information leak, and hook hopping. Second, it has to be easy to deploy (preferable as a runtime solution without any OS/compiler change), and has no major performance, stability, and compatibility impact on the protected applications and systems. To achieve such goals, we take an innovative approach, which can detect ROP, especially the most prevalent and toughest case - ROP with the aid of memory information leak. This approach is able to detect/stop the exploit immediately upon the execution of its first ROP gadget instruction, and to further locate the exact place where the vulnerability is triggered. It should be noted that this approach is different from other detection mechanisms such as instruction instrumentation or emulation. It not only has minimal performance impact on the application, but also is more efficient and effective than other known solutions. Moreover, in its verbose working mode, this approach can also be used to reconstruct the whole exploitation process. For example, for UAF vulnerability exploit, all operations on the relevant objects will be logged; such logs can help the security researchers quickly understand the root cause of the vulnerability.

In this presentation, we will take three most recent real-world 0-day exploits to demonstrate how this new approach can effectively detect and stop ROP attacks. To the best of our knowledge, currently no other detection solution has the capability to catch these 0-day exploits in the very beginning of the exploit execution (in most cases, the 1st ROP gadget), to accurately locate the vulnerability trigger point, and to reveal the root cause behind the vulnerability when possible.
Chengyun Chu Chengyun Chu:Chengyun Chu is a Principe Security Development lead of MSRC Engineering. He joined Microsoft in 2001. He and his defense team generate mitigations and workarounds for use in the monthly Microsoft security bulletins, provide detailed vulnerability documentation for MSRC cases, and act as the engineering technical lead for the Microsoft company-wide Software Security Incident Response Process (http://www.microsoft.com/security/msrc/incident_response.mspx#ESB).

Microsoft's Counter-Zero Day Strategy part IV

Zero day attacks represent one of the most difficult classes of issues for both Microsoft customers and the company's response teams. Four years ago at XCon 2009, Microsoft presented its strategy for countering threats from zero day vulnerabilities by increasing attacker costs and diminishing their returns. In XCon 2011 and XCON 2013, Microsoft presented as the follow-up talk to discuss the progress Microsoft has made since then. As we are facing the ever changing security challenges, today we will present the part IV of our strategy to cover the latest progress Microsoft has made including the new security mitigation in IE, EMET 5.0, etc.
Wenjun Hu (MindMac)&Zihang Xiao(Claud Xiao) Wenjun Hu (MindMac):Wenjun Hu (MindMac) is currently pursuing his master degree at Xi'an Jiaotong University. His research interest mainly focuses on Android malicious code detection and Android application analysis. He was the speaker of xKungfoo 2012, xKungfoo 2013 and HITCON 2014. He also developed SandDroid (an automatic Android application analysis system, http://sanddroid.xjtu.edu.cn)and AndroMalShare (Android malware sharing system, http://202.117.54.231:8080).

      Zihang Xiao(Claud Xiao):Zihang Xiao(Claud Xiao) is a security researcher, mainly focuses on antivirus and application security on the Android and iOS platform. He leads "Android Security" board of the PEDIY forum and was invited to present on HITCON, XCON, ISC, xKungfoo, etc.

Introduction:Guess Where I am: detection and response of avoiding Android simulator

Android emulator is widely used in the field of application's dynamic analysis. After analysis on Android samples in the wild,we found a great number of Android applications own the capacity of detecting Android emulator's existence. We are going to discuss:
  1. Current research and application situation of anti-emulator technology
  2. The proportion of Android applications which utilize emulator detection in the wild
  3. The main methods used by these apps to detect Android emulator
  4. The behavior differences of these apps in a real device and an Android emualtor respectively
  5. The purposes to detect Android emulator
  6. How to modify the Android emulator and make it more like real devices
  7. The effectiveness of such modifications in practice use
  8. Other anti-emulator methods
Peter (@zer0mem) Peter (@zer0mem):Peter (@zer0mem) is a security researcher at KEEN Team (@K33nTeam) and his primary focus is kernel exploitation.Peter has 4+ year experience at IT security in different areas as malware research, developing anti-APT solutions or windows kernel research. Peter has presented at conferences such as SyScan360, ZeroNights, and public his research at his blog zer0mem.sk and github repo.

Introduction:Power of Linked List

In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.

In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
TBsoft TBsoft:TBsoft is senior researcher in Dept. of Microelectronics and Embedded System of Antiy Labs. In the late '90s, he researched in anti-virus and data recovery technologies on DOS. After that, he began to concentrate on R&D in hardware security till now. He was invited to XCON 2009 conference to give a report about monitoring and interception of wireless keyboard.

Introduction:The detectability of signals——Beyond Wifi, what can we deal with ?

In the era of The Internet of things,Ubiquitous signal carrying the people's daily life, even heartbeat, blood pressure information. This report summarized the various forms of signal transmission and detection methods, explore related issues of privacy and protection. This report shows the experiments results of detection, positioning and communication load feature recognition of various signals,and comes with a demo of locating and identifying of wearable device.
Tianfang Guo&Allan Zhang Tianfang Guo:Tianfang Guo is a founding team member of Trustlook, specialized on malware sandbox detection and vulnerability research on Android platform. Tianfang has 7 years of experience in cyber security industry since college. As a former researcher from Key Lab of Network and Software Security of Peking University, and Palo Alto Networks, his interest covers web security, Windows vulnerability and Android vulnerability & malware analysis.

      Allan Zhang:Allan Zhang is the founder & CEO of Trustlook, a Silicon-Valley based start-up dedicated on mobile security products for consumers. Allan is an expert in vulnerability research and network security with more than 12 years of industrial experience. He once worked for Lucent Technology and nCircle Network Security, and joined Palo Alto Networks as an early employee. In July 2013, he founded Trustlook inc in San Jose.

Introduction:Large-scale Vulnerability Discovery in Android App Markets

Android is more popular than ever. But the developers' security practice is far from catching up. This presentation will demonstrate how much sensitive information can be mined from Android App markets. We built a distributed mining system on AWS and mined more than 3m APK samples from Android App markets. During our analysis on the samples, a large number of sensitive information was discovered: hundreds of apps have leaked their AWS credentials, which allows attackers to gain full control over the cloud infrastructure. Other information leakage includes OAuth secret keys, Database passwords, even the Google Play private keys. We also found lots of apps are prone to popular vulnerabilities like Webview addJavascriptInterface code execution. In this topic, we will disclose some of the vulnerabilities and stories behind them, to raise the alertness of Android developers.
Wan Ming Wan Ming:He has been engaged in computer viruses' research and software protection for a long time.The BBS Moderator of pediy.com and currently works as CTO in NAGA.

Introduction:Linker and loader technology in the application of protective shell

This issue introduces the linker and loader technology in android so file protection, the application of first discusses how the dynamic library so file as a third-party libraries and compile link technique to receive another so document. Then detailed discusses the android so file dynamic loading process, and discuss the loader technology in the application of the custom format. And the use of loader technology for simple operation, so exuviate and explored the hulling for ELF header after repair operations.