XCon2016 Venue：NUO Hotel Beijing
Call For Paper: XCon2016 Call For Paper
|2016-8-29 Mon. 1st day|
|08:30 - 09:30||XCon2016 Registration|
|09:30 - 09:40||Beginning Speech|
|09:40 - 10:40||Jason Shirk||What it takes to make the Top 100|
|10:40 - 11:40||Tao Wei||Ecosystem Vulnerability|
|11:40 - 13:30||Lunch|
|13:30 - 14:30||Bing Sun/Chong Xu||JIT Spraying never dies - Bypass CFG by leveraging WARP Shader JIT Spraying|
|14:30 - 15:30||Peter Hlavaty||Ice Age melting down: Intel feat considering usefully|
|15:30 - 16:00||Coffee Break|
|16:00 - 17:00||Hongwei Jiang||Flash Player Fuzzing|
|17:00 - 18:00||Chuanwen Chen||Security of mobile application communication|
|2016-8-30 Tue. 2st day|
|09:30 - 10:30||Guanxing Wen||Leverage one-shot UAF to a Minigun|
|10:30 - 11:30||nEINEI||Advanced Exploitation Technology: Breaking AV-Emulator|
|11:30 - 13:30||Lunch|
|13:30 - 14:30||Esoul||Introduction to Information Security Risk of SRAM-based FPGA|
|14:30 - 15:30||Kang wu||Webshell Detection Based On Script Virtual Machine|
|15:30 - 16:00||Coffee Break|
|16:00 - 17:00||Security Forum|
|17:00 - 17:10||Closing Speech|
Surround yourself with style and serenity at NUO Hotel Beijing, one of the newest and most luxurious hotels in China's capital. Inspired by the cultural and artistic achievements of the Ming Dynasty, NUO mixes business with pleasure and art with technology and sustainability. NUO, the Chinese word for promise, is proud to pioneer the future of Chinese luxury hospitality.
NUO Hotel Beijing： 2A Jiangtai Road, Chaoyang District, Beijing 100016 P.R. China
Tel：+86 10 5926 8888
Dr. Tao Wei, Chief Security Scientist of Baidu Inc. and the co-organizer of UC Berkeley BitBlaze group. For the past 20 years, he has conducted research on many seri try areas and published papers on top-tier academic/industry security conferences. Now his research is focusing on mobile security architecture, Internet financial security, threat intelligence and machine learning.
Ecosystem Vulnerability is a continuous vulnerable status of a software/internet ecosystem. In this talk, we will discuss different kinds of ecosystem vulnerabilities, their root causes, and how to mitigate them.
Master of computer application technology, Bachelor of information security, Wuhan University. After graduation, he worked for Alibaba over 9 years, engaged in application development, core system development and server architecture design. He is a core member of the open source webserver project "Tengine", and has rich experience for SSL/TLS in both engineering and research. Now, he is a senior security researcher in Antiy, responsible for the mobile application vulnerability research work.
There are various implementations of communications in mobile applications, and most of them are not secure. Many developers even do not know how to write secure communication codes for their applications except a few senior ones who really care about security. In this topic, I will discuss the common implementations, analyze whether they will cause risks, and how to mitigate the risks. Particularly, this topic will cover most cases in HTTPS on both client and server. Last but not least, the topic will discuss how to custom your own secure protocols, which meet the different levels of security requirements. There are also specific examples for each part to help the audiences understand the contents.
Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, member of GeeKon committee and GeekPwn judge, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.
esoul is from Antiy Labs. His technical interests include computer and peripheral hardware security, ICS security, embedded system and IoT, etc. He is a geek obsessed with technology and his work and hobbies are both hardware DIY and hack. He and his team have presented their work many times in XCon.
Driven by the need for gene sequencing, large data analysis, machine learning applications, and the development of microelectronics technology, FPGA is gradually changing from a dedicated electronic device to a general information processing computing tool. Due to its unique technical characteristics, FPGA shows great advantage and potential in high performance computing, but it also faces the unique challenges of information security. This report presents the preliminary thinking and experimental exploration of the research team on the related issues. The technical characteristics and development flow of FPGA will be described briefly, and the potential security risks of closed hardware architecture and closed source tool chain will be analyzed. A simple example will demonstrate the threat of information disclosure.
Jason Shirk is a Principal Security Strategist at Microsoft and runs their Bug Bounty Program (aka.ms/bugbounty). He has spent a number of years in both the software security & user data privacy spaces with roles from owning Microsoft’s Fuzzing Strategy and toolkit to the Security Architect for Bing, penetration test and endpoint security at Bell Labs/Avaya, to now driving overall Security Ecosystem Strategy for Microsoft. Jason speaks regularly at external Security & Privacy conferences, as well as advising program owners across Microsoft and the industry on the evolving nature of building secure software, with user privacy in the forefront.
Bug Bounty continues to be in the news, and new security research comes up regularly. For the last 2 years, Microsoft has published the MSRC Top 100 researchers. This talk will dive into how the rankings are calculated, how they change across time, and what it takes to make the Top 100. Beyond bug bounty though, Microsoft uses the vulnerabilities, mitigation bypasses, and other security research to make meaningful changes to our software. Jason will be discussing some of the research presented at BlackHat by David Weston and Matt Miller on hardening Window 10. Finally, Jason will discuss the latest Microsoft bounty, areas for researchers to focus, and how bounty targets are selected.
Chong received his Ph.D. degree in networking and security from Duke University. His current focus includes research and innovation on intrusion and prevention techniques as well as threat intelligence. He is a senior director of Intel Security IPS team, which leads Intel Security vulnerability research, malware and APT detection, and botnet detection and feeds security content and innovative protection solutions into Intel Security’s network IPS, host IPS, and sandbox products, as well as McAfee Global Threat Intelligence (GTI).
Bing Sun is a senior information security researcher, and now he is leading the IPS security research team of Intel Security Group (formerly McAfee). He has extensive experiences in operating system kernel and information security technique R&D, with especially deep diving in advanced vulnerability exploitation and detection, Rootkits detection, firmware security and virtualization technology. Moreover, Bing is also a regular speaker at international security conference, such as XCon, Black Hat and CanSecWest.
Polymorphours, Jowto Tianze lab Research Directions：Firmware, Hardware security,Web security,Kernel of windows、linux、solaris, etc . security holes ：CVE-2007-5587, CVE-2012-0005 Proof of Concept：ms08-025，ms08-067 2012 xkungfoo speaker （security holes caused by misusing handle reference in windows）
Webshell can often be found in the web files, hackers use Metamorphic webshell to escape from Anti-virus software, their metamorphosis are usually more flexible than binaries , especially the one-clasue webshell. Common Method to detect webshell is based on Files’ signature, but it’s not timely to deal with Metamorphic webshell or cryptographic webshell. Webshell’s metamorphosis based on script, so why not use script virtual machine to detect them? This keynote speech will show you how to use ASP script interpreter and automatic input vector generation to detect webshell and so on, the speaker will give a demonstration after the speech.
nEINEI is one of the core members of ByteHero team, he is a security researcher of Intel Security. One of designers of Bytehero Heuristic Detection Engine, he provided the BDV engine with Virustotal platform. He has many years of experiences on information security techniques research and be interested in advanced vulnerability exploitation and detection /Virus, Rootkit/ reverse engineering .he has spoken at security conferences such as CanSecWest2014, AVAR2012, XCon2010, XCon2013, XCon2014, XCon2015.
AV-Emulator techniques start with polymorphism and metamorphic virus detection. Since packers tend to be popular in malware code obfuscation, most compressors or encryption packers can be unpacked by AV-Emulator. Currently, AV-Emulator technology is relatively mature, it not only simulates CPU instruction set, also aims on simulation of Hardware ,NIC, windows feature ,file system, registry system ,GUI , process ,thread, exception handlers, PE loader in order to run PE-EXE, PE dll, PE sys. To accomplish AV-Emulator bypass, we need to focus on the differences between emulator and real machine. At early stage, Bypass techniques mainly exploit on the weakness of partial-emulation, such as multi-thread, emulation timeout, parent process check etc.. Nowadays, these methods are all obsolete, next generation AV-Emulator from mainstream manufacturers have simulated these known features. On this agenda, I will discuss about the architecture and implementation of AV-Emulator. In the meanwhile, regarding emulator bypass, we are capable of bypassing all products of mainstream manufacturers. We focus on the weaknesses of AV-Emulator implementation, which is extremely difficult to be fixed in a short period of time. I will show six ways to bypass last version of kaspersky, Bitdefender, ESET,VBA32... etc. Therefore we should pay extensive attention on these problems.
HONGWEI JIANG(willJ) is a security researcher on Tencent since 2013.He has spent the last seven years working in PC security, both finding security issues in PC software and improving the security of PC platforms. Outside of work, willJ enjoys applying his hacking and reverse engineering skills to unusual targets.He is actively involved in hackerspaces and is a founding member of 52Pojie, syclover in China.This year he participated in Pwn2Own 2016 and his team Tencent Security Team Sniper has successfully hacked Adobe Flash.
As a proprietary multimedia player, FlashPlayer is popular and wide used in all fields. However, FlashPlayer was disclosed with all kinds of security issues in recent years. In this presentation, I'll first introduce some FlashPlayer's attack surfaces and then demonstrate the fuzzing tools to find this kind of vulnerabilities. These tools are simple but efficient. Only change some Open source fuzzers and make some new Grammar fuzzers. Through these tools I've found 34 vulnerabilities with CVE-IDs got from Adobe Security Team and more than 60 crashes(not Null pointer) of FlashPlayer. At last,I'll show some results.
Guanxing Wen is member of Pangu Team. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining Pangu, Wen worked as a security researcher of Venustech ADLAB. He is actively involved in Bug Bounty Program, such as ZDI, Chrome VRP and is currently the top one bug contributor of IBB-Flash Bounty (@hhj4ck).
Adobe Flash has become a favorite target for exploit developers since 2013. One of the most common exploitation techniques against Flash 0days, especially for Use-After-Free, is to corrupt the length field of an array-like object, which eventually leads to arbitrary memory access and then code execution. Since the Vector/ByteArray primitive is so simple and powerful that lately in 2015, Adobe has introduced mitigation into Flash with the goal of making this old method a history.Under new circumstances, gaining arbitrary memory access is not easy anymore, not to mention implementing a universal method. Unfortunately, to achieve code execution, most exploits need to read process memory, looking for buffers and ROP gadgets. This talk will introduce Use-After-Use-After-Free (UAUAF), a novel and relatively universal exploitation technique for UAF vulnerabilities in Adobe Flash. By leveraging a sequence of object occupations and releases, UAUAF can transform a UAF into a multi-class type confusion in which full memory access is gained again. More importantly, this talk will illustrate UAUAF by a real 0day that I discovered in April. Exploitation process, i.e., from discovering the 0day, gaining full memory access, chaining ROP gadgets, to the final code execution will be presented in detail.
|Early bird |
before 15th July
|Regular registration |
before 22nd August
|$700/per person||$800/per person||$900/per person|