I spent the last weeks traveling to Singapore and Miami to present my Xenpwn research about double fetch vulnerabilities in paravirtualized devices at Infiltrate and Syscan360. You can find my slides here. Both conferences had great organization, very technical talks and a cool audience. In the following I want to give a short recap of some of the talks I liked the most:
Sean Heelan – Automatic Root-Cause Identification for Crashing Executions (Infiltrate)
Sean Heelan talked about his work on automated root cause analysis. The goal of this research is to give a human researcher a detailed analysis of the potential root causes (in the form of violated predicates) that triggered a crash during a fuzzing run. Sean summarizes the core idea of his research much better than I would be able to in his blog post, which also contains a link to his slides. I’m always a big fan of his talks because he is one of the few peoples working in the intersection between the academic program verification community and the IT security industry.
Sebastian Apelt – Pwning Adobe Reader (Syscan360 + Infiltrate)
The talk was a great mix of reverse engineering and exploitation techniques and you should definitely check out the slides (maybe the PPTX ones 😉 ) published here.
Matthias Kaiser – Java deserialization vulnerabilities – The forgotten bug class (Infiltrate)
Matthias talked about Java deserialization vulnerabilities, their root causes, history and exploitation techniques. After discussing his approach for finding these bugs (search for or break on ObjectInputStream.readObject()) and useful properties of gadget chains, he walked through a recent vulnerability in Oracle Weblogic and dropped a 0day in the SAP Netweaver P4 protocol.
While most pentesters and security researchers know that the deserialization of arbitrary user input is evil, this still does not seem to be the case for many software developers. Due to the prevalence of “enterprise” Java-based software stacks in many corporate environments, this bug class will probably be a source of vulnerabilities for a really long time. This makes Matthias slides a must read for every pentester ;).
– Best, Felix