{"$schema": "https://c3voc.de/schedule/schema.json", "generator": {"name": "pretalx", "version": "2026.1.1"}, "schedule": {"url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/schedule/", "version": "0.3", "base_url": "https://cfp.ringzer0.training", "conference": {"acronym": "ringzer0-bootstrap24-austin", "title": "Ringzer0 BOOTSTRAP24 Austin", "start": "2024-02-23", "end": "2024-02-24", "daysCount": 2, "timeslot_duration": "00:05", "time_zone_name": "US/Central", "colors": {"primary": "#000000"}, "rooms": [{"name": "Bootloader \ud83d\udccdUnder The Oaks", "slug": "2840-bootloader-under-the-oaks", "guid": "3bf41730-91ab-5a14-a902-5c092de8f1bf", "description": "Bootloader Mixer", "capacity": null}, {"name": "Track 1 \ud83d\udccd Auditorium 1.110", "slug": "2589-track-1-auditorium-1110", "guid": "f1eda731-9bdd-5655-8375-7d590d0456a0", "description": null, "capacity": null}, {"name": "Workshop Track 1 \ud83d\udccdRoom 1.124", "slug": "2590-workshop-track-1-room-1124", "guid": "74a5dce8-61f2-5b53-88e7-c923b6907a10", "description": null, "capacity": null}, {"name": "Workshop Track 2 \ud83d\udccdRoom 1.126", "slug": "2591-workshop-track-2-room-1126", "guid": "b2c6ee57-f009-532c-8b67-fda238dae17d", "description": null, "capacity": null}, {"name": "Workshop Track 3 \ud83d\udccdUnder The Oaks", "slug": "2841-workshop-track-3-under-the-oaks", "guid": "cb5b2510-02ae-58a7-8364-e4b573f3c2d0", "description": null, "capacity": null}, {"name": "BlackHoodie \ud83d\udccdRoom 1.124", "slug": "2842-blackhoodie-room-1124", "guid": "f47c282c-cbac-58e8-a053-5ec76b8c3c86", "description": "Introduction to Software Reverse Engineering", "capacity": null}], "tracks": [], "days": [{"index": 1, "date": "2024-02-23", "day_start": "2024-02-23T04:00:00-06:00", "day_end": "2024-02-24T03:59:00-06:00", "rooms": {"Bootloader \ud83d\udccdUnder The Oaks": [{"guid": "0a37e63c-ac41-57dc-876d-4577025a8c91", "code": "7HFFHD", "id": 39524, "logo": null, "date": "2024-02-23T18:30:00-06:00", "start": "18:30", "duration": "00:45", "room": "Bootloader \ud83d\udccdUnder The Oaks", "slug": "ringzer0-bootstrap24-austin-39524-compiler-backdooring-for-beginners", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/7HFFHD/", "title": "Compiler Backdooring For Beginners", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "Ever wondered how compiler mitigations are built? Or how a sophisticated build chain attack can target a compiler to place backdoors and other miscreants? Wonder no more, this hands-on workshop shows you how to build your own compiler pass, which can any source code you build to your liking. We'll learn how source code makes its way through the different stages of a compiler into its final binary form, how compilers perform modifications and optimizations of the code, and how they translate their view of the code to a given architecture's binary representation. Students will get a glimpse how some mitigations everybody knows and loves are actually implemented in a compiler. They'll work hands on with LLVM Clang, following along theoretical chapters of the workshop, and eventually they'll implement a Clang plugin themselves to sneak a backdoor into otherwise perfectly secure code. \r\nPrerequisites: Linux computer or virtual machine or cloud instance", "description": "Start of workshop: Download and build your own LLVM clone\r\nIntroduction to compiler architecture\r\n- Frontends, Backends, and Intermediate Languages\r\n- Basic compiler passes\r\n- GCC and LLVM Clang in a nutshell\r\nCompiler plugins \r\n- Passes vs. plugins, pros and cons\r\n- Exercise: \"Hello World\" as a Clang pass\r\nCompiler mitigations walkthrough\r\n- How DOES a compiler build canaries?\r\n- (AddressSanitizer at 10.000ft if time allows)\r\n\r\nLab: Homemade Backdoors\r\nDescription: We'll be working on a specially crafted application, which contains a function reading data into a buffer in a safe way. The exercise will be to remove sanitization checks and to modify the buffer so that memory corruption becomes possible. Students will receive a skeleton Clang plugin, and will be walked through code constructs needed to locate the target function, the checks and the buffer, and to perform the requested modifications. The students themselves will complete the plugin and verify its efficacy.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SFVJEN", "name": "Marion Marschalek", "avatar": "https://cfp.ringzer0.training/media/avatars/SFVJEN_N4kjwOC.webp", "biography": "Marion Marschalek is a Senior Security Engineer at AWS, where she advises efforts to build threat detection solutions based on machine learning and AI. Priorly she held an offensive security research position at Intel and different roles in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is the founder of BlackHoodie, a hacker bootcamp for women, which is established as a global initiative to attract more diverse talent to the security industry.", "public_name": "Marion Marschalek", "guid": "178ccf17-09d0-548a-a1d0-43140cc832af", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/SFVJEN/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/7HFFHD/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/7HFFHD/", "attachments": []}, {"guid": "66dcaf66-11f7-5498-b002-11a6a50a245c", "code": "3KT8RD", "id": 44619, "logo": null, "date": "2024-02-23T19:30:00-06:00", "start": "19:30", "duration": "00:45", "room": "Bootloader \ud83d\udccdUnder The Oaks", "slug": "ringzer0-bootstrap24-austin-44619-best-of-the-worst-misadventures-in-bug-disclosure", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3KT8RD/", "title": "Best of the Worst: Misadventures in Bug Disclosure", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "This talk looks at some of the best of the worst examples of disclosing bugs to vendors. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk.", "description": "Founded by TippingPoint in 2005, the Zero Day Initiative (ZDI) program rewards security researchers for responsibly disclosing vulnerabilities. Since that time, the ZDI has grown to be the world's largest vendor-agnostic bug bounty program. Being vendor agnostic means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc... We don't buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan.\r\n\r\nThis talk looks at some of the best of the worst examples of disclosing bugs to vendors. Disclosing bugs can get contentious. It can also be confusing when a vendor doesn't have a mature response process. Some reports are frustrating. Some reports are comical. And some are absolutely wild. All of them resulted in face palms at multiple levels. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk. Finding, disclosing, and fixing bugs are three different processes, and none of those processes are inconsequential. Here at the ZDI, we try to improve all three areas wherever we can.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UP7XPQ", "name": "Brian Gorenc", "avatar": "https://cfp.ringzer0.training/media/avatars/UP7XPQ_3YYClWD.webp", "biography": "Brian Gorenc is the Vice President of Threat Research at Trend Micro. In this role, he leads a globally dispersed research organization responsible for the delivery of comprehensive protection technology and threat intelligence to defend against sophisticated attacks. Gorenc is also responsible for the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. The ZDI works to expose and remediate weaknesses in the world's most popular software. Brian is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions.\r\n\r\nBefore joining Trend Micro, Gorenc worked for Lockheed Martin on the F-35 Joint Strike Fighter (JSF) program. In this role, he led the development effort on the Information Assurance (IA) products in the JSF\u2019s mission planning environment. In addition to degrees from Southern Methodist University and Texas A&M, Brian holds multiple certifications including (ISC)2's CISSP and CSSLP.", "public_name": "Brian Gorenc", "guid": "3d84124d-ce4c-56a2-b308-61f93a75ab44", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/UP7XPQ/"}, {"code": "DEPCB7", "name": "Dustin Childs", "avatar": null, "biography": null, "public_name": "Dustin Childs", "guid": "3804757a-712c-51fd-a769-51005d0aa4f2", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/DEPCB7/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3KT8RD/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3KT8RD/", "attachments": []}, {"guid": "a58ce91f-76a1-57eb-973c-016fbc9859bc", "code": "EAXQYM", "id": 39516, "logo": null, "date": "2024-02-23T20:30:00-06:00", "start": "20:30", "duration": "00:45", "room": "Bootloader \ud83d\udccdUnder The Oaks", "slug": "ringzer0-bootstrap24-austin-39516-rust-won-t-save-us-finding-and-exploiting-0-days-in-security-appliances", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/EAXQYM/", "title": "Rust Won't Save Us: Finding and Exploiting 0-days in Security Appliances", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Increasingly threat actors are moving off of Windows endpoints and into places less visible like appliances. An analysis of CISA\u2019s Known Exploited Vulnerabilities from 2023, and recent years, reveals that threat actors are targeting and exploiting appliances with both known vulnerabilities and 0-days of their own.\r\n\r\nThis talk covers the vulnerability research process used to discover 16 vulnerabilities across three different security appliances in the Fortinet product line. From command injection, SQLi, file reads, and more, this journey started what I dubbed the \u201cForti Forty\u201d, a goal (cut short) to find 40 CVE\u2019s in Fortinet appliances. \r\n\r\nAttendees can expect to walk away with a general overview of how to approach reverse engineering security appliances, methodology used in reviewing large systems and code bases, and the common pitfalls that developers make in these complex systems.", "description": "- **Who Am I** (1 min)\r\n\r\n  - Security researcher with many years of experience in vulnerability research, implant development, and attacker TTPs across the commercial and government sector.\u00a0\r\n\r\n- **Overview** (1 min)\r\n\r\n- **A Shift In Tactics** (2 min)\r\n\r\n  - CISA KEV Breakdown\r\n\r\n    - 2023\u2019s Most Targeted Devices by Device Type\r\n    - Initial Access via Border / Security Appliance\r\n    - Why is this thing on the internet?\r\n\r\n- **The Vulnerabilities** (38 min)\r\n\r\n  - Target Selection\r\n\r\n    - Fortinet falls squarely in the type of device\u2019s routinely targeted and exploited by threat actors in CISA KEV\r\n    - Fortinet has many security devices that have not received recent CVEs\r\n    - FortiSIEM was acquired via Fortinet acquiring a company, possibly meaning more room for error or a difference in security stack\r\n\r\n  - Vulnerability Research Process\r\n\r\n    - Attack Surface Analysis\r\n\r\n    - Control Flow Analysis\r\n\r\n      - Web Routing Framework\r\n\r\n        - Unauthenticated and Authenticated Handlers\r\n\r\n      - Non-Web Backed Services\r\n\r\n        - Communication Protocol\r\n\r\n      - Authentication\r\n\r\n      - Business Logic\r\n\r\n      - Controllable Inputs\r\n\r\n  - Fortinet FortiSIEM\r\n\r\n    - Appliance Overview\r\n\r\n    - Discovering the Service\r\n\r\n      - Fortinet FortiNAC variant analysis - developers often make the same mistakes\r\n      - Investigating the license upload functionality in Web UI revealed it communicated with a \u201cbackend\u201d service, phMonitor, via TCP socket\r\n      - \u201cBackend\u201d service is listening on all interfaces - not so backend\u2026\r\n\r\n    - Developing a Service Client\r\n\r\n      - Reversing the Java Web UI class reveals its a custom messaging scheme over TCP sockets with message format:\r\n\r\n        - 1\\. Command Type - The integer enum mapped to specific function handlers inside the phMonitor service\r\n        - 2\\. Payload Length - The length of the payload in the message\r\n        - 3\\. Send ID - An arbitrary integer value passed in the message\r\n        - 4\\. Sequence ID - The sequence number of this message\r\n        - 5\\. Payload - The specific data the function handler within phMonitor will operate on\r\n\r\n      - Test client with \u201cLicenseInfo\u201d request returns success!\r\n\r\n    - Reversing the Service\r\n\r\n      - What is the phMonitor service?\r\n\r\n        - At a high-level, it monitors different services across different roles, and exposes an API interface for performing many of the system functions that would be accomplished in the administrative web interface.\u00a0\r\n        - It is the authoritative service when it comes to managing deployment configuration, licensing, and administrative functions of itself and remote roles.\r\n\r\n      - With a working service client, now starts the process of analyzing control flow of the service, and any potential mistakes in command handlers\r\n\r\n      - 100 different command handlers\r\n\r\n        - Change storage configurations\r\n\r\n          - Often calls to a utility \u201cdoSystem\u201d, a system() wrapper - interesting!\r\n\r\n        - Write system settings\r\n\r\n          - Passwords, backup servers, etc\r\n\r\n        - Initiate reverse SSH tunnels with integrated servers\r\n\r\n          - FortiSIEM often deployed with SIEM in located in MSP and \u201cCollectors\u201d in client environments\r\n          - Pivot into client environments!\r\n\r\n    - Developing the Exploit\r\n\r\n      - Determining the Expected XML Format\r\n      - Command Injection in XML Field\r\n      - Post-Exploitation possibilities - pivoting, reading integration secrets, clearing logs\r\n\r\n  - Fortinet FortiWLM\r\n\r\n    - Appliance Overview\r\n\r\n    - Attack Surface\r\n\r\n      - Web Service backed by Python and Perl\r\n\r\n      - Django Authentication Middleware\r\n\r\n        - Several Unauthenticated Endpoints\r\n\r\n      - Command Injections\r\n\r\n      - SQL Injections\r\n\r\n      - File Reads\r\n\r\n  - Fortinet FortiWeb Manager\r\n\r\n    - Appliance Overview\r\n\r\n    - Attack Surface\r\n\r\n      - Web Service backed by Python\r\n      - Authenticated Command Execution\r\n      - Authenticated Arbitrary File Write\r\n      - Authenticated Arbitrary File Read\r\n\r\n  - Common Developer Pitfalls and Areas of Improvement\r\n\r\n    - Focusing on the Happy Path\r\n\r\n      - Developers, intuitively, focus most of their time and effort in validating the most common user journeys in their applications\r\n      - Often, along a products lifetime, new features are added for customers - and sometimes in critical areas like authentication\r\n\r\n    - Developing in a Vacuum\r\n\r\n      - Applications and systems often reach enormous levels of complexity, hard to single engineers to know the in-and-outs to safely add a feature\r\n      - Architecture and code reviews are necessary and critical to spot missteps\r\n      - Paired programming with a senior can help juniors understand the design and security aspects of features to up-level them\r\n\r\n    - Defense In Depth\r\n\r\n      - Often, weaponized exploits combine several vulnerabilities to reach system compromise\r\n      - Auditing the authenticated attack surface for simple primitives can limit the blast radius of these chains\r\n      - Run services as least privilege\r\n\r\n- **Future Outlook** (1 min)\r\n\r\n  - Security isn\u2019t just for infosec - involve developers more in our community\r\n  - \u201cMemory-safe\u201d languages like Rust won\u2019t save us, but they can help\r\n  - We and threat actors will continue to find vulnerabilities from the 90s, adjust security programs to be as wholistic as possible\r\n\r\n- **Q\\&A** (2 min)\r\n\r\n- **References**\r\n\r\n  - Fortinet PSIRTs\r\n\r\n    - FortiSIEM\r\n\r\n      - \u00a0****<https://www.fortiguard.com/psirt/FG-IR-23-130>\r\n\r\n    - FortiWLM\r\n\r\n      - <https://www.fortiguard.com/psirt/FG-IR-23-140>\r\n      - <https://www.fortiguard.com/psirt/FG-IR-23-143>\r\n      - <https://www.fortiguard.com/psirt/FG-IR-23-142>\r\n\r\n    - FortiWeb Manager\r\n\r\n      - Awaiting patches", "recording_license": "", "do_not_record": false, "persons": [{"code": "LYLLNU", "name": "Zach Hanley", "avatar": "https://cfp.ringzer0.training/media/avatars/LYLLNU_d7A5ilQ.webp", "biography": "Zach Hanley has been hooked on exploit development and offensive security since introduced to the world of hacking as an On-Net Operator for DoD and IC organizations. He\u2019s since developed implants and exploits for both the government and commercial sector and competed in Pwn2Own. He currently is a vulnerability researcher and attack engineer for Horizon3.ai.", "public_name": "Zach Hanley", "guid": "a28df844-e15a-5395-9c85-a4cc58920c6d", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/LYLLNU/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/EAXQYM/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/EAXQYM/", "attachments": []}], "BlackHoodie \ud83d\udccdRoom 1.124": [{"guid": "0baa4fb8-3445-58b9-9207-49f0df18534b", "code": "QQWFQU", "id": 44621, "logo": null, "date": "2024-02-23T09:00:00-06:00", "start": "09:00", "duration": "08:00", "room": "BlackHoodie \ud83d\udccdRoom 1.124", "slug": "ringzer0-bootstrap24-austin-44621-blackhoodie-training-introduction-to-software-reverse-engineering", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/QQWFQU/", "title": "BlackHoodie Training: Introduction to Software Reverse Engineering", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "Ever wanted to know what a binary looks like from the inside? Wonder no more, binary insides is all you will see in this class. We\u2019ll go from 0 to yo there\u2019s a bug in your application in just one day. This training is very busy, from file formats, loaders and process execution, disassemblers and debuggers, to bug hunting of the special kind. But don\u2019t worry, we\u2019ll arm you with all the necessary skills! The target will be x86-64 Linux ELF executables.", "description": "Ever wanted to know what a binary looks like from the inside? Wonder no more, binary insides is all you will see in this class. We\u2019ll go from 0 to yo there\u2019s a bug in your application in just one day. This training is very busy, from file formats, loaders and process execution, disassemblers and debuggers, to bug hunting of the special kind. But don\u2019t worry, we\u2019ll arm you with all the necessary skills! The target will be x86-64 Linux ELF executables.", "recording_license": "", "do_not_record": false, "persons": [{"code": "SFVJEN", "name": "Marion Marschalek", "avatar": "https://cfp.ringzer0.training/media/avatars/SFVJEN_N4kjwOC.webp", "biography": "Marion Marschalek is a Senior Security Engineer at AWS, where she advises efforts to build threat detection solutions based on machine learning and AI. Priorly she held an offensive security research position at Intel and different roles in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is the founder of BlackHoodie, a hacker bootcamp for women, which is established as a global initiative to attract more diverse talent to the security industry.", "public_name": "Marion Marschalek", "guid": "178ccf17-09d0-548a-a1d0-43140cc832af", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/SFVJEN/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/QQWFQU/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/QQWFQU/", "attachments": []}]}}, {"index": 2, "date": "2024-02-24", "day_start": "2024-02-24T04:00:00-06:00", "day_end": "2024-02-25T03:59:00-06:00", "rooms": {"Track 1 \ud83d\udccd Auditorium 1.110": [{"guid": "2f911a17-9afa-5581-9020-0511c148991b", "code": "BJF77N", "id": 44620, "logo": null, "date": "2024-02-24T09:00:00-06:00", "start": "09:00", "duration": "00:45", "room": "Track 1 \ud83d\udccd Auditorium 1.110", "slug": "ringzer0-bootstrap24-austin-44620-revisiting-2017-ai-and-security-7-years-later", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/BJF77N/", "title": "Revisiting 2017: AI and Security, 7 years later", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "In 2017, I gave a keynote at ZeroNights Moscow about the role of AI in security, both on the offensive and the defensive side. This keynote will revisit the topics of 2017, and discuss how the changing landscape of AI and security has affected and changed, and which parts remain unchanged.", "description": "In 2017, I gave a keynote at ZeroNights Moscow about the role of AI in security, both on the offensive and the defensive side. This keynote will revisit the topics of 2017, and discuss how the changing landscape of AI and security has affected and changed, and which parts remain unchanged.", "recording_license": "", "do_not_record": false, "persons": [{"code": "XUNXWT", "name": "Thomas Dullien", "avatar": null, "biography": null, "public_name": "Thomas Dullien", "guid": "40e6ef1b-c736-5892-8cbf-bf986c0b16c3", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/XUNXWT/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/BJF77N/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/BJF77N/", "attachments": []}, {"guid": "8fd1a2bd-70d9-5b50-a455-4e8f7e1982e5", "code": "NXCUE3", "id": 38844, "logo": null, "date": "2024-02-24T10:00:00-06:00", "start": "10:00", "duration": "00:45", "room": "Track 1 \ud83d\udccd Auditorium 1.110", "slug": "ringzer0-bootstrap24-austin-38844-exploring-the-lay-of-the-llm-detection-landscape", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/NXCUE3/", "title": "Exploring the lay of the LLM detection landscape", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "The world is awash in large-language model (LLM) AI (e.g., ChatGPT) news, predictions, and of course, content (all for good and ill). This talk takes a step back from the posturing and hype to look at how these models work, and how to detect the content they produce. We will look at the fundamentals of LLM-generated text detection, compare the best in breed: GPTZero, Roberta, etc. detector with a novel detector, ZipPy.\r\nZipPy is a new, open-source LLM text detector (and attribution tool!) developed by Thinkst Labs that is 60-100x faster than the competition, over 1000x smaller (< 200KB), and for many types of content, more accurate. We will explain the intuition behind ZipPy, show how it works, and they types of content it struggles with. Finally we look at where LLMs can improve their stealth, and fundamental shortcomings in their designs that enable detection long-term.", "description": "Are LLMs going to upend, or just end the world? Will malevolent AIs spread disinformation and FUD to enslave humanity in a world of fear? Will Roko's Basilisk come to pass? In order to help stay these dramatic end-times, LLM content detectors are here! We can build safe, AI-free zones to limit the digital \"noise\" that these models can blast out at scale, if only we can reliably detect and classify a content's origin.\r\nThis talk does a deep dive into the leading LLM text detectors, both open-source and commercial, and compares them against a number of different datasets. Next, we throw into the mix ZipPy, a novel open-source detector based on code written in the mid-1980s that outperforms the state-of-the-art in a number of dimensions. ZipPy is simple (less than 200 lines of Python), and it codifies the intuition about a core difference between LLMs and humans that no additional amount of data or training cores can overcome--being unique! Using ZipPy we can walk through the features used to differentiate a text's origins and how with a simple, embedded detector we can build a human-centric world where LLMs are used only to help us rather than subvert us.", "recording_license": "", "do_not_record": false, "persons": [{"code": "U9778S", "name": "Jacob Torrey", "avatar": "https://cfp.ringzer0.training/media/avatars/U9778S_JoCcEEQ.webp", "biography": "Jacob is the Head of Labs at Thinkst Applied Research. Prior to that he managed the HW/FW/VMM security team at AWS, and was a Program Manager at DARPA's Information Innovation Office (I2O). At DARPA he managed a cyber security R&D portfolio including the Configuration Security, Transparent Computing, and Cyber Fault-tolerant Attack Recovery programs. Starting his career at Assured Information Security, he led the Computer Architectures group performing bespoke research into low-level systems security and programming languages. Jacob has been a speaker and keynote speaker at conferences around the world, from BlackHat USA, to SysCan, to TROOPERS and many more. When not in front of the computer, he enjoys trail running, volunteering as a firefighter/EMT, and hiking with his family.", "public_name": "Jacob Torrey", "guid": "bd7c0709-4320-592b-acd7-62e83fb6de45", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/U9778S/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/NXCUE3/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/NXCUE3/", "attachments": []}, {"guid": "648f3a26-155f-5c98-9623-49b8813998be", "code": "8FM8V3", "id": 39464, "logo": "https://cfp.ringzer0.training/media/ringzer0-bootstrap24-austin/submissions/8FM8V3/EMFI_4vbWVM2.jpeg", "date": "2024-02-24T11:30:00-06:00", "start": "11:30", "duration": "00:45", "room": "Track 1 \ud83d\udccd Auditorium 1.110", "slug": "ringzer0-bootstrap24-austin-39464-glitching-in-3d-low-cost-emfi-attacks", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/8FM8V3/", "title": "Glitching in 3D: Low Cost EMFI Attacks", "subtitle": "", "track": null, "type": "Talk", "language": "en", "abstract": "Advances in embedded device security features have led to more and more researchers utilizing fault injection techniques to bypass security features and gain increased access to systems. While some open-source tools exist to perform these types of attacks, there are still many hurdles that researchers must overcome when conducting their power analysis of a device that they wish to perform a fault injection attack. \r\n\r\nWhile vulnerable to voltage glitching attacks, sudden voltage drops at specific timings can cause permanent damage to devices. We will begin this talk by describing our power analysis research that led us to an RDP bypass on the STM32F4 via voltage glitching. Despite being able to bypass RDP protections with a traditional voltage glitch, the attack would occasionally permanently damage the device. As a result of this, we developed a more reliable EMFI attack. \r\n\r\nThis talk describes utilizing open-source tools to perform an EMFI attack on an STM32F4 microcontroller, allowing for a full RDP (read-out-protection) bypass via a targeted EMP. This research will release the open-source tooling used to instrument a generic 3D printer and examples of how we integrated it into the workflow utilizing the ChipWhisperer Husky and PicoEMP.", "description": "This work describes the process of performing a new fault injection attack. We begin with the test firmware we used to dial in the physical glitch parameters such as location, placement, etc. After dialing in these glitch parameters for maximum consistency, we target the boot ROM of the STM32F4. To determine **where** to place the glitch, we review the power trace of the boot ROM and an extracted boot ROM in ghidra. The first section of the talk will focus on traditional voltage glitching and power trace analysis. \r\n\r\nAfter demonstrating that a readout protection bypass is possible via voltage glitching, we will discuss the risk of these attacks and how they can permanently damage devices. Given this risk, we attempted to trigger the same glitch with an EMP instead of a traditional voltage glitch. Performing an EMFI attack introduces new variables, probe shape, placement, and pulse shape, to name a few. \r\n\r\nWhile some tools exist to help instrument and perform EMFI attacks, they are prohibitively expensive and require bespoke training and extensive experience. We wanted to complete one of these attacks as cheaply as possible and utilize open-source hardware for the instrumentation of the EMP probe, leading us to use the PicoEMP to generate the EMP and a 3D printer to automate the positioning and placement of the probe.\r\n\r\nAfter 3D printing a custom bracket for the EMP and developing software to control the printer, we could automate glitch data collection while instrumenting the X/Y/Z coordinates of the probe. We determined the optimal probe placement for performing our previously discovered RDP bypass using the resulting data. A portion of this talk will review that data and some of the tools we developed to help visualize the data collection results to determine optimal probe placement. \r\n\r\nUsing the probe placement data generated from our testing, we developed a consistent RDP bypass for the STM32F4 via a targeted EMP using the power trace analysis from our first glitch. This attack allowed for flash readout capabilities on locked STM32F4 processors. We also will discuss how we've used these tools and resulting workflows to target other microcontrollers, such as the Nuvoton M032 series.\r\n\r\nAfter this talk, we will release the Jupyter notebooks, libraries, tools used to instrument the 3D printer, and the ChipWhisperer Husky and PicoEMP. We will also publish a long-form write-up (blog post) describing the process.", "recording_license": "", "do_not_record": false, "persons": [{"code": "DNYPA3", "name": "Matthew Alt (wrongbaud)", "avatar": "https://cfp.ringzer0.training/media/avatars/DNYPA3_rMm21Fl.webp", "biography": "Matthew began his reverse engineering career in the aftermarket automotive industry, searching for vulnerabilities in engine control units' diagnostic protocol implementations. Next, he worked at MIT Lincoln Laboratory, where he led a team focused on embedded systems analysis. While at MIT, Matthew was awarded the Outstanding Contributor Award for his technical contributions. You can find other examples of his work and teaching style on his personal blog, the VSS research blog and through the free Ghidra course he authored at Hackaday.", "public_name": "Matthew Alt (wrongbaud)", "guid": "9ffe2017-5177-5647-8fd5-f6b0b415b973", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/DNYPA3/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/8FM8V3/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/8FM8V3/", "attachments": [{"title": "Glitch Graph", "url": "/media/ringzer0-bootstrap24-austin/submissions/8FM8V3/resources/glitch3_y289P0c.png", "type": "related"}, {"title": "Glitch Graph 2", "url": "/media/ringzer0-bootstrap24-austin/submissions/8FM8V3/resources/glitch1_v3KRupj.png", "type": "related"}, {"title": "Glitching Rig", "url": "/media/ringzer0-bootstrap24-austin/submissions/8FM8V3/resources/EMP_RIG_B5gOioR.jpeg", "type": "related"}]}], "Workshop Track 1 \ud83d\udccdRoom 1.124": [{"guid": "b5b9598e-3ab9-59ea-924d-af35510456dc", "code": "JEETKU", "id": 38467, "logo": "https://cfp.ringzer0.training/media/ringzer0-bootstrap24-austin/submissions/JEETKU/emu_Uird1ft.jpg", "date": "2024-02-24T11:00:00-06:00", "start": "11:00", "duration": "01:30", "room": "Workshop Track 1 \ud83d\udccdRoom 1.124", "slug": "ringzer0-bootstrap24-austin-38467-qemu-for-fuzz-and-profit-emulation-fuzzing-deep-dive-into-cybersecurity-techniques", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/JEETKU/", "title": "QEMU For Fuzz and Profit: Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "Emulation and fuzzing are among the many techniques that can be used to improve cybersecurity; however, utilizing these efficiently can be tricky. This workshop will help you understanding how these powerful tools and techniques work. Using a couple of real-world use cases and practical examples, this talk will help you grasp the fundamental concepts of fuzzing and emulation along with advanced vulnerability research, providing you with the tools and skills needed to find security flaws in your software.\r\nThe workshop will showcase the QEMU Course, were we move among different architectures and harnesses. We will show famous tools such as American Fuzzy Lop (AFL) and its improved version, AFL++. You\u2019ll learn how to combine these powerful tools to create your own emulation and fuzzing environment and then use it to discover vulnerabilities in various systems, such as iOS, Android, and Samsung\u2019s Mobile Baseband software, Shannon.", "description": "\"Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques\"\r\n\r\nJoin us for a comprehensive 90-minute workshop where we delve into cutting-edge techniques of emulation and fuzzing, drawing insights from Fuzzing Against the Machine. This immersive session promises to equip you with both foundational knowledge and advanced practices in the realm of cybersecurity.\r\n\r\nWorkshop Highlights:\r\n\r\nSetting the Stage: Get acquainted with the prerequisites and tools vital to grasp the nuances of this workshop, ensuring you can make the most of the content ahead.\r\n\r\nJourney Through Time: Embark on a historical exploration of emulation, understanding its evolution, nuances, and its paramount role in the ever-evolving landscape of cybersecurity.\r\n\r\nQEMU - The Emulator Spotlight: Get an in-depth understanding of QEMU - our system emulator of choice, learning about its internals, capabilities, and previous success stories.\r\n\r\nFuzzing with QEMU: Dive into the intricacies of QEMU's execution modes and the dynamic world of fuzzing. Understand static versus dynamic fuzzing and their practical applications.\r\n\r\nCase Studies Galore:\r\n\r\nRelive the discovery of a 2011 vulnerability in VLC through the synergy of QEMU and AFL.\r\nUnderstand the real-world implications with a look into the vulnerability found in modern Samsung phones.\r\nVenture into full-system fuzzing with studies on OpenWRT, diving into nuances when targeting different architectures such as ARM.\r\nWitness the marvel of iOS full-system fuzzing, understanding the unique challenges and solutions involved.\r\nExplore the world of Android libraries and their vulnerabilities, leveraging the open-source project Sloth.\r\nConcluding Thoughts: Summarize the wealth of knowledge, emphasizing the significance of the research and future directions in this critical domain of cybersecurity.\r\n\r\nThis workshop promises a holistic understanding, from basics to advanced techniques, ensuring participants can apply these insights to real-world challenges. Whether you're a novice in cybersecurity or a seasoned practitioner, this session has something valuable for everyone. Join us in this engaging journey, drawing from the extensive research and practical examples from Fuzzing Against the Machine.", "recording_license": "", "do_not_record": false, "persons": [{"code": "RMK8FP", "name": "Antonio Nappa", "avatar": "https://cfp.ringzer0.training/media/avatars/RMK8FP_6hSRlfu.webp", "biography": "ANTONIO NAPPA, PH.D IS THE APPLICATION ANALYSIS TEAM LEADER AT ZIMPERIUM INC. BEFORE JOINING ZIMPERIUM HE WORKED AT BRAVE SOFTWARE AND CORELIGHT.\r\n\r\nANTONIO HAS BEEN ACTIVE IN THE CYBERSECURITY INDUSTRY SINCE 17 YEARS. HE HAS BEEN A VISITING SCHOLAR AT UC BERKELEY, EURECOM, VSB-TUO. HE HAS PUBLISHED MORE THAN 15 PAPERS IN INTERNATIONAL PEER-REVIEWED VENUES. HE IS ALSO AN INVENTOR AND A WELL RECOGNIZED ADJUNCT PROFESSOR AT UC3M MADRID.\r\n\r\nHE IS CO-AUTHOR OF: FUZZING AGAINST THE MACHINE: AUTOMATE VULNERABILITY RESEARCH WITH EMULATED IOT DEVICES ON QEMU, PACKT PUBLISHING 2023.\r\n\r\nSINCE THE DEFCON 2008 FINALS WITH THE GUARD@MYLAN0 TEAM, HE NEVER GOES TO SLEEP WITH A SEGFAULT.", "public_name": "Antonio Nappa", "guid": "f0ecdac0-ea21-568c-84cc-315fbc23064b", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/RMK8FP/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/JEETKU/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/JEETKU/", "attachments": []}, {"guid": "da305dfe-5731-5b73-9e87-bce971289cb7", "code": "97FX9D", "id": 39515, "logo": null, "date": "2024-02-24T13:30:00-06:00", "start": "13:30", "duration": "01:30", "room": "Workshop Track 1 \ud83d\udccdRoom 1.124", "slug": "ringzer0-bootstrap24-austin-39515-fault-injection-characterization", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/97FX9D/", "title": "Fault Injection Characterization", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "Most of you have likely heard about hardware *Fault Injection*. Actually, it's likely some of you have experience injecting glitches into chips. However, many of you are likely still unaware of the full potential of the faults you are, sort of randomly, bringing to life. In this workshop, you will conduct a hands-on *Fault Injection* experiment and model your faults systemically. This understanding allows you to envision, and potentially devise, powerful *Fault Injection* exploits.", "description": "In this Fault Injection workshop you will be doing the following:\r\n\r\n- Build a Fault Injection setup using NewAE Husky\r\n- Perform Fault Injection Characterization experiments\r\n- Describe the faults you are creating by injecting glitches\r\n\r\nNote, the activities performed in this workshop are also part of our 'The Art of Fault Injection' training.", "recording_license": "", "do_not_record": false, "persons": [{"code": "BQSLFT", "name": "tieknimmers", "avatar": "https://cfp.ringzer0.training/media/avatars/BQSLFT_rAPzdzs.webp", "biography": "Niek has been analyzing and testing the security of software and hardware of secure devices for over a decade. His interest is typically sparked by technologies where the hardware of the device is fundamentally part of the equation.", "public_name": "tieknimmers", "guid": "e5286410-773c-572e-ada1-c58bf205f1a7", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/BQSLFT/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/97FX9D/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/97FX9D/", "attachments": []}, {"guid": "8c44ac40-58c3-5784-914d-77cd122fd460", "code": "3XSPQZ", "id": 38297, "logo": "https://cfp.ringzer0.training/media/ringzer0-bootstrap24-austin/submissions/3XSPQZ/_b1034b85-ebb0-4c2b-9717-21b31ae1a6e5_vnOJpXO.jpg", "date": "2024-02-24T15:30:00-06:00", "start": "15:30", "duration": "01:30", "room": "Workshop Track 1 \ud83d\udccdRoom 1.124", "slug": "ringzer0-bootstrap24-austin-38297-patch-diffing-in-the-dark", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3XSPQZ/", "title": "Patch Diffing In The Dark", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "The goal of this workshop is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Microsoft Windows via (CVE-2023-28308) and Android via (CVE-2022-36934). The main point of the workshop is to help researchers understand that they already have the information and tools needed to understand complex vulnerabilities. By learning to patch diff \"in the dark\", a researcher can progress from knowing about a vulnerability to actually understanding its root cause.", "description": "The workshop will cover the following topics:\r\n\r\n1.  Introduction (15 minutes)\r\n    -   Explain what patch diffing is and why it is useful for vulnerability research\r\n    -   Give an overview of both CVE vulnerabilities and their impact\r\n    -   Introduce the tools and data sets that will be used in the workshop (Ghidra, patched and unpatched binaries, updates files, etc.)\r\n    -   Exercise:\r\n        -   Check participants can run required tools and have access to provided resources\r\n2.  Patch Analysis (40 minutes)\r\n    -   Learn the different methods to obtain the binaries needed for patch diffing across Windows and Android\r\n    -   Demonstrate how to use Ghidra to compare the patched and unpatched binaries and identify the changes\r\n    -   Explain how to interpret the diff results and locate the vulnerable function\r\n    -   Exercise:\r\n        -   Have participants import and analyze binaries, and perform patch diff\r\n3.  Vulnerability Analysis (40 minutes)\r\n    -   Teach a method to determine how to reach the identified vulnerable function\r\n    -   Explain how the vulnerabilities can be triggered by sending a specially crafted input\r\n    -   Show how to use a debugger (WinDbg / adb) to attach to a process and set breakpoints on the vulnerable function\r\n    -   Demonstrate how to craft a malicious input to trigger the CVE\r\n    -   Exercise:\r\n        -   Have participants try to identify the vulnerable function and provide guidance.\r\n        -   Have participants step through the vulnerable function\r\n4.  Conclusion (15 minutes)\r\n    -   Summarize the main points and learning outcomes of the workshop\r\n    -   Provide some tips and resources for further learning and practice on patch diffing and vulnerability analysis\r\n    -   Answer any questions from the participants and collect feedback\r\n\r\nRequirements for the Workshop:\r\n\r\n-   Laptop with Ghidra installed or ability to run workshop VM\r\n-   Internet access to download workshop resources", "recording_license": "", "do_not_record": false, "persons": [{"code": "AMK8KJ", "name": "John McIntosh", "avatar": "https://cfp.ringzer0.training/media/avatars/AMK8KJ_eIBiNXT.webp", "biography": "A security researcher @clearseclabs who is passionate about learning and sharing knowledge on various aspects of information security. He has a keen interest in binary analysis, patch diffing, and vulnerability discovery. He is the creator of several open-source security tools and also blogs regularly about his research projects and experiments with Ghidra and patch diffing. You can follow him on Twitter @clearbluejar or visit his website https://clearbluejar.github.io.", "public_name": "John McIntosh", "guid": "a86723a0-d43e-5cdc-bea2-78bcf82dc47d", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/AMK8KJ/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3XSPQZ/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3XSPQZ/", "attachments": []}], "Workshop Track 2 \ud83d\udccdRoom 1.126": [{"guid": "8c190cf5-83dd-5275-889f-2e136b9a4e43", "code": "HCTCHK", "id": 38729, "logo": null, "date": "2024-02-24T13:30:00-06:00", "start": "13:30", "duration": "01:30", "room": "Workshop Track 2 \ud83d\udccdRoom 1.126", "slug": "ringzer0-bootstrap24-austin-38729-binary-reversing-and-whole-firmware-diffing", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/HCTCHK/", "title": "Binary Reversing and Whole Firmware Diffing", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "Diffing is used in reverse-engineer, to analyze two variants or versions of a same software whether its a legit executable or a malware. It is useful to transfer information from a program to another, for anti-plagiarism or for patch analysis and thus vulnerability research. While multiple diffing tools exists little has been done to perform it at scale on numerous binaries.\r\n\r\nThis workshop introduces a variety of tools to both analyze binaries by working on their representation extracted from a disassembler and also tools to automate diffing with Bindiff. All these tools have been open-sourced very recently and documentation is available at https://diffing.quarkslab.com.", "description": "This workshop is targeting tech savy eager to know more about reverse-engineering up to experienced red teamers. Anyone will be able to take advantage of this workshop and to take away practical knowledge, get familiar with various tools and to get an overview of various use-cases where it can be applied. The outline of the workshop is given below.\r\n\r\nFirst, the workshop will recall basics about reverse-engineering, x86_64 assembly, ELF format, and how to get familiar with IDA Pro or Ghidra for analyzing programs at binary level. Once everyone is back on the same basis we will move to scripting some analyzes.\r\n\r\nThen, we will introduce the concept of binary exporters which aims at dumping the whole Ghidra/IDA Pro disassembly into a file that can then be manipulated without having to keep the disassembler open. We will present [python-binexport](https://github.com/quarkslab/python-binexport), a wrapper around Binexport (Google's exporter) to automated the export and the processing of exported files. Then we will present [Quokka](https://github.com/quarkslab/quokka) that we developed which is better than Binexport by being more exhaustive and more compact.\r\n\r\nFrom there, we will start manipulating executable files exported with binexport or quokka to start digging into the binary. Multiple exercises will be given to get familiar with the API, and to search for various information in the binary e.g: which function is using a specific string ? What are the parameters given to a specific function call. Various binaries will be used as examples including some malware code. We will also write scripts that can be batched on multiple executables.\r\n\r\nThenafter, we will move to the binary diffing use-case and to show how to analyze an update by comparing the two programs in order to understand what has been patched. First, an introduction to [Bindiff](https://www.zynamics.com/bindiff.html) will be done to show how to do manual diffing. Then we will introduce [python-bindiff](https://github.com/quarkslab/python-bindiff/) to show how to automate the diffing process and how to manipulate the result seamlessly.\r\n\r\nNo existing utilities or libraries enables manipulating a diff programatically to perform security analyzes. We will give a glimpse of how this can be done using our collection of tools with some exercises aiming at finding the key modifications between two binaries.\r\n\r\nWe will conclude with a practical to perform a diff between two firmware versions used at Pwn2own 2022. The goal of the practical is identifying key changes in order to understand what has been updated by performing **whole firmware diffing**. This practical will also leverage another tool [Pyrrha](https://github.com/quarkslab/pyrrha) that we developped for firmware cartography.", "recording_license": "", "do_not_record": false, "persons": [{"code": "GEYWT8", "name": "Robin David", "avatar": "https://cfp.ringzer0.training/media/avatars/GEYWT8_kdQeqGB.webp", "biography": "Robin David, Phd is the automated analysis team leader at Quarkslab and full-time software security researcher. He is working on various technologies like greybox fuzzing, symbolic excution, firmware analysis and deobfuscation for which he is actively working on open-source tools to help to community.\r\nHe has been presenting his work in a variety of industrial conferences like Black Hat or BalCCon but also academic venues like S\\&P, BAR, or ISSTA. He is also trainer at RingZero.", "public_name": "Robin David", "guid": "d626f3fe-8f6a-57e7-adb6-ee1069991ba2", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/GEYWT8/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/HCTCHK/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/HCTCHK/", "attachments": []}, {"guid": "117e0bc5-a0a4-5d09-9a4d-ab504ef9acd0", "code": "DNUPPY", "id": 38416, "logo": null, "date": "2024-02-24T15:30:00-06:00", "start": "15:30", "duration": "01:30", "room": "Workshop Track 2 \ud83d\udccdRoom 1.126", "slug": "ringzer0-bootstrap24-austin-38416-mastering-offensive-hooking-and-unhooking", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/DNUPPY/", "title": "Mastering Offensive Hooking and Unhooking", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "Hooking is a powerful method employed to monitor, intercept and manipulate the flow of data and control within an application. It involves injecting custom code inside a target process to alter, or enhance its functionality. Hooking plays a pivotal role in anti-game cheats, fortifying security controls, gathering valuable telemetry data, and empowering Endpoint Detection and Response (EDR) systems. This workshop delves deep into advanced hooking techniques, and provides a unique opportunity for participants to master this intricate art. Whether you're a seasoned malware researcher seeking to dissect threats or a red teamer looking to uncover defense blind spots, this workshop will equip you with the skills and knowledge needed to excel in your security endeavors.", "description": "Section 1 \u2013 The first section of the workshop will focus on basics concepts of Portable executable, PE file formats, introduction to windows APIs and foundation setting for advanced concepts and hands on in later sections.\r\n\r\n- PE basics - Students will understand the program execution lifecycle in windows, PE file structure - imports,exports etc\r\n- Windows API - Students will learn about inner working of windows and how various GUI components interact with the kernel via APIs and syscalls. This will include hands on labs that will require participants to use Windows APIs via code (C++) to perform simple operations like process creation, file creation etc.\r\n- NT API & Syscalls \u2013 Students will be introduced to NT APIs present in ntdll. These APIs will be later hooked to monitor API calls transitioning from user to kernel mode via syscalls\r\n\r\nSection 2 \u2013 Focus on this session will be to get started with hooking windows API, via manual methods as well as tools like Frida. Through these exercises, students will be made accustomed to hook windows application and monitor API arguments.\r\n\r\n- Introduction to hooking \u2013 Students will be introduced to basics of hooking. Both manual as well as automated hooking techniques (using tools like Frida, Detour) will be demonstrated\r\n- Hooking native windows and commercial applications - Students will be given live demonstration of hooking on few windows applications and how to identify correct APIs on which hooks need to be placed\r\n- Simple keylogger \r\n\r\nSection 3 \u2013 Focus of this section will be to demonstrate legitimate usage of hooking in windows systems by EDRs. Unhooking(removing existing hooks) as a concept will also be introduced as a means to bypass security controls present on a host\r\n\r\n- EDRs - Students will receive a primer on Endpoint Detection and Response systems and how they use hooks to gather telemetry and obtain visibility inside individual processes. Decisions to resume or kill the process are formulate based on the telemetry. \r\n- Introduction to unhooking (NTDLL/IAT) \u2013 Students will be introduced to IAT (Import Address Table) and NTDLL unhooking techniques as one of the means to evade EDR systems.\r\n\r\nSection 4 \u2013 The final section will focus on dissecting various unhooking techniques and how evolution of these techniques happened over time as and when EDR's caught up with them\r\n\r\n- Hells gate and Halos gate - Students will use the knowledge acquired in the previous section to understand different unhooking strategies employed in diverse scenarios to bypass EDR solutions\r\n- Review / Key Takeaways / Q&A \u2013 The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions.\r\n\r\nIn addition to the presentation material, students will be provided with a virtual machine (VM) that includes a fully functional development environment and all the necessary code samples for replicating the demonstrations showcased during the presentation.", "recording_license": "", "do_not_record": false, "persons": [{"code": "UTMAEW", "name": "Soumyadeep Basu", "avatar": "https://cfp.ringzer0.training/media/avatars/UTMAEW_co7Hl8P.webp", "biography": "Soumyadeep is a cybersecurity professional with expertise in both offensive and defensive security. Having earned certifications such as OSCP, OSEP, eCPTX and AZ-500, Soumyadeep possesses extensive skills and knowledge in both offensive and defensive cybersecurity domains. Soumyadeep has a strong foundation in red teaming and has worked with companies like Mandiant and Zscaler. Soumyadeep is a Cloud Threat Detection Engineer at CRED, specializing in tracking and disrupting cloud threat actors", "public_name": "Soumyadeep Basu", "guid": "fe10c2b7-322d-586d-957b-cf8864d381de", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/UTMAEW/"}, {"code": "XTCE3M", "name": "Arun Nair", "avatar": "https://cfp.ringzer0.training/media/avatars/XTCE3M_LAv1bPF.webp", "biography": "Arun is an experienced Red Teamer with specialized expertise in malware development and evasion. Holding certifications like OSCP, CRTP, CRTL, CodeMachine Malware Techniques, Malware on Steroids and Hacksys Windows Kernel Exploitation, he showcases a profound grasp of offensive security. His hands-on experience with top-tier organizations like Google and Mandiant enriches his understanding of real-world cyber tactics. He has volunteered as a trainer at Blackhat Europe MIPS Exploit Development, contributed at Defcon Adversary Village, and presented talks and workshops at RedTeamSummit, c0c0n, and regional Null Meetups.", "public_name": "Arun Nair", "guid": "73864234-6087-59f1-b42d-71c54e7c37f2", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/XTCE3M/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/DNUPPY/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/DNUPPY/", "attachments": []}], "Workshop Track 3 \ud83d\udccdUnder The Oaks": [{"guid": "37510de5-d481-50e0-af16-d34c2f6e0fed", "code": "FYRSRA", "id": 38828, "logo": null, "date": "2024-02-24T13:30:00-06:00", "start": "13:30", "duration": "03:00", "room": "Workshop Track 3 \ud83d\udccdUnder The Oaks", "slug": "ringzer0-bootstrap24-austin-38828-hack-our-drone", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/FYRSRA/", "title": "Hack Our Drone", "subtitle": "", "track": null, "type": "Workshop", "language": "en", "abstract": "The Dark Wolf \"Hack Our Drone\" workshop provides participants the ability to learn hands-on cybersecurity testing techniques for evaluating Unmanned Autonomous Systems. The workshop includes a full Unmanned Autonomous System test target composed of a BeagleBone Blue Flight Vehicle (UAV), a Ground Control System (GCS), and a MAVLink over 802.11 WiFi Communications system. The workshop includes both instructor assistance and detailed lab manuals to guide participants through a series of tasks to discover and exploit cybersecurity weaknesses in the UAS. Tasks include firmware analysis, network service exploitation, password cracking, elevation of privilege, and UAV over-the-air hijacks. Participants are expected to bring a laptop with either Kali Linux installed or one that can boot a Kali Linux Live USB drive.", "description": "This workshop is divided into three hands-on modules:\r\n\r\n1. Ground Control System\r\n2. Uncrewed Aerial Vehicle\r\n3. Radio Communications\r\n\r\nEach module includes tasks involved in describing the component, collecting software, analyzing for security vulnerabilities, and demonstrating exploits against those vulnerabilities. These tasks are drawn from our real-world experiences as cyber professionals providing security analysis of Uncrewed Aerial Systems in both commercial and governmental sectors.", "recording_license": "", "do_not_record": false, "persons": [{"code": "L3CS8R", "name": "Ronald Broberg", "avatar": null, "biography": null, "public_name": "Ronald Broberg", "guid": "a9ffcecc-457b-5296-ad97-bb133756bc8c", "url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/speaker/L3CS8R/"}], "links": [], "feedback_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/FYRSRA/feedback/", "origin_url": "https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/FYRSRA/", "attachments": []}]}}]}}}