To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:00
09:00
480min
BlackHoodie Training: Introduction to Software Reverse Engineering
Marion Marschalek

Ever wanted to know what a binary looks like from the inside? Wonder no more, binary insides is all you will see in this class. We’ll go from 0 to yo there’s a bug in your application in just one day. This training is very busy, from file formats, loaders and process execution, disassemblers and debuggers, to bug hunting of the special kind. But don’t worry, we’ll arm you with all the necessary skills! The target will be x86-64 Linux ELF executables.

BlackHoodie 📍Room 1.124
18:00
18:00
30min
Doors Open
Bootloader 📍Under The Oaks
18:30
18:30
45min
Compiler Backdooring For Beginners
Marion Marschalek

Ever wondered how compiler mitigations are built? Or how a sophisticated build chain attack can target a compiler to place backdoors and other miscreants? Wonder no more, this hands-on workshop shows you how to build your own compiler pass, which can any source code you build to your liking. We'll learn how source code makes its way through the different stages of a compiler into its final binary form, how compilers perform modifications and optimizations of the code, and how they translate their view of the code to a given architecture's binary representation. Students will get a glimpse how some mitigations everybody knows and loves are actually implemented in a compiler. They'll work hands on with LLVM Clang, following along theoretical chapters of the workshop, and eventually they'll implement a Clang plugin themselves to sneak a backdoor into otherwise perfectly secure code.
Prerequisites: Linux computer or virtual machine or cloud instance

Bootloader 📍Under The Oaks
19:30
19:30
45min
Best of the Worst: Misadventures in Bug Disclosure
Dustin Childs, Brian Gorenc

This talk looks at some of the best of the worst examples of disclosing bugs to vendors. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk.

Bootloader 📍Under The Oaks
20:30
20:30
45min
Rust Won't Save Us: Finding and Exploiting 0-days in Security Appliances
Zach Hanley

Increasingly threat actors are moving off of Windows endpoints and into places less visible like appliances. An analysis of CISA’s Known Exploited Vulnerabilities from 2023, and recent years, reveals that threat actors are targeting and exploiting appliances with both known vulnerabilities and 0-days of their own.

This talk covers the vulnerability research process used to discover 16 vulnerabilities across three different security appliances in the Fortinet product line. From command injection, SQLi, file reads, and more, this journey started what I dubbed the “Forti Forty”, a goal (cut short) to find 40 CVE’s in Fortinet appliances.

Attendees can expect to walk away with a general overview of how to approach reverse engineering security appliances, methodology used in reviewing large systems and code bases, and the common pitfalls that developers make in these complex systems.

Bootloader 📍Under The Oaks
08:00
08:00
60min
Doors Open
Track 1 📍 Auditorium 1.110
09:00
09:00
45min
Revisiting 2017: AI and Security, 7 years later
Thomas Dullien

In 2017, I gave a keynote at ZeroNights Moscow about the role of AI in security, both on the offensive and the defensive side. This keynote will revisit the topics of 2017, and discuss how the changing landscape of AI and security has affected and changed, and which parts remain unchanged.

Track 1 📍 Auditorium 1.110
10:00
10:00
45min
Exploring the lay of the LLM detection landscape
Jacob Torrey

The world is awash in large-language model (LLM) AI (e.g., ChatGPT) news, predictions, and of course, content (all for good and ill). This talk takes a step back from the posturing and hype to look at how these models work, and how to detect the content they produce. We will look at the fundamentals of LLM-generated text detection, compare the best in breed: GPTZero, Roberta, etc. detector with a novel detector, ZipPy.
ZipPy is a new, open-source LLM text detector (and attribution tool!) developed by Thinkst Labs that is 60-100x faster than the competition, over 1000x smaller (< 200KB), and for many types of content, more accurate. We will explain the intuition behind ZipPy, show how it works, and they types of content it struggles with. Finally we look at where LLMs can improve their stealth, and fundamental shortcomings in their designs that enable detection long-term.

Track 1 📍 Auditorium 1.110
11:00
11:00
30min
Morning Break (11:00 - 11:30)
Track 1 📍 Auditorium 1.110
11:00
90min
QEMU For Fuzz and Profit: Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques
Antonio Nappa

Emulation and fuzzing are among the many techniques that can be used to improve cybersecurity; however, utilizing these efficiently can be tricky. This workshop will help you understanding how these powerful tools and techniques work. Using a couple of real-world use cases and practical examples, this talk will help you grasp the fundamental concepts of fuzzing and emulation along with advanced vulnerability research, providing you with the tools and skills needed to find security flaws in your software.
The workshop will showcase the QEMU Course, were we move among different architectures and harnesses. We will show famous tools such as American Fuzzy Lop (AFL) and its improved version, AFL++. You’ll learn how to combine these powerful tools to create your own emulation and fuzzing environment and then use it to discover vulnerabilities in various systems, such as iOS, Android, and Samsung’s Mobile Baseband software, Shannon.

Workshop Track 1 📍Room 1.124
11:30
11:30
45min
Glitching in 3D: Low Cost EMFI Attacks
Matthew Alt (wrongbaud)

Advances in embedded device security features have led to more and more researchers utilizing fault injection techniques to bypass security features and gain increased access to systems. While some open-source tools exist to perform these types of attacks, there are still many hurdles that researchers must overcome when conducting their power analysis of a device that they wish to perform a fault injection attack.

While vulnerable to voltage glitching attacks, sudden voltage drops at specific timings can cause permanent damage to devices. We will begin this talk by describing our power analysis research that led us to an RDP bypass on the STM32F4 via voltage glitching. Despite being able to bypass RDP protections with a traditional voltage glitch, the attack would occasionally permanently damage the device. As a result of this, we developed a more reliable EMFI attack.

This talk describes utilizing open-source tools to perform an EMFI attack on an STM32F4 microcontroller, allowing for a full RDP (read-out-protection) bypass via a targeted EMP. This research will release the open-source tooling used to instrument a generic 3D printer and examples of how we integrated it into the workflow utilizing the ChipWhisperer Husky and PicoEMP.

Track 1 📍 Auditorium 1.110
12:15
12:15
75min
Lunch (12:15-13:30)
Track 1 📍 Auditorium 1.110
13:30
13:30
90min
Binary Reversing and Whole Firmware Diffing
Robin David

Diffing is used in reverse-engineer, to analyze two variants or versions of a same software whether its a legit executable or a malware. It is useful to transfer information from a program to another, for anti-plagiarism or for patch analysis and thus vulnerability research. While multiple diffing tools exists little has been done to perform it at scale on numerous binaries.

This workshop introduces a variety of tools to both analyze binaries by working on their representation extracted from a disassembler and also tools to automate diffing with Bindiff. All these tools have been open-sourced very recently and documentation is available at https://diffing.quarkslab.com.

Workshop Track 2 📍Room 1.126
13:30
90min
Fault Injection Characterization
tieknimmers

Most of you have likely heard about hardware Fault Injection. Actually, it's likely some of you have experience injecting glitches into chips. However, many of you are likely still unaware of the full potential of the faults you are, sort of randomly, bringing to life. In this workshop, you will conduct a hands-on Fault Injection experiment and model your faults systemically. This understanding allows you to envision, and potentially devise, powerful Fault Injection exploits.

Workshop Track 1 📍Room 1.124
13:30
180min
Hack Our Drone
Ronald Broberg

The Dark Wolf "Hack Our Drone" workshop provides participants the ability to learn hands-on cybersecurity testing techniques for evaluating Unmanned Autonomous Systems. The workshop includes a full Unmanned Autonomous System test target composed of a BeagleBone Blue Flight Vehicle (UAV), a Ground Control System (GCS), and a MAVLink over 802.11 WiFi Communications system. The workshop includes both instructor assistance and detailed lab manuals to guide participants through a series of tasks to discover and exploit cybersecurity weaknesses in the UAS. Tasks include firmware analysis, network service exploitation, password cracking, elevation of privilege, and UAV over-the-air hijacks. Participants are expected to bring a laptop with either Kali Linux installed or one that can boot a Kali Linux Live USB drive.

Workshop Track 3 📍Under The Oaks
15:00
15:00
30min
Afternoon Break
Track 1 📍 Auditorium 1.110
15:00
30min
Afternoon Break
Workshop Track 1 📍Room 1.124
15:00
30min
Afternoon Break
Workshop Track 2 📍Room 1.126
15:30
15:30
90min
Mastering Offensive Hooking and Unhooking
Soumyadeep Basu, Arun

Hooking is a powerful method employed to monitor, intercept and manipulate the flow of data and control within an application. It involves injecting custom code inside a target process to alter, or enhance its functionality. Hooking plays a pivotal role in anti-game cheats, fortifying security controls, gathering valuable telemetry data, and empowering Endpoint Detection and Response (EDR) systems. This workshop delves deep into advanced hooking techniques, and provides a unique opportunity for participants to master this intricate art. Whether you're a seasoned malware researcher seeking to dissect threats or a red teamer looking to uncover defense blind spots, this workshop will equip you with the skills and knowledge needed to excel in your security endeavors.

Workshop Track 2 📍Room 1.126
15:30
90min
Patch Diffing In The Dark
John McIntosh

The goal of this workshop is to teach participants how to use patch diffing techniques to analyze real-world vulnerabilities in Microsoft Windows via (CVE-2023-28308) and Android via (CVE-2022-36934). The main point of the workshop is to help researchers understand that they already have the information and tools needed to understand complex vulnerabilities. By learning to patch diff "in the dark", a researcher can progress from knowing about a vulnerability to actually understanding its root cause.

Workshop Track 1 📍Room 1.124