In December last year, I released the async_wake exploit for iOS 11.1.2. In this talk, I'll cover how each step of the exploit worked and discuss in depth each mitigation which was defeated along the way. I'll focus on what was supposed to make exploitation hard, what techniques other public exploits would have used in earlier iOS versions, and what mitigations we might see in iOS 12 and beyond (and how to break those too!). ... https://www.youtube.com/watch?v=OT3F_dMl1TM

The Go implementation of the P-256 elliptic curve had a small bug due to a misplaced carry bit affecting less than 0.00000003% of field subtraction operations. We show how to build a full practical key recovery attack on top of it, capable of targeting JSON Web Encryption. Go issue #20040 affected the optimized x86_64 assembly implementation of scalar multiplication on the NIST P-256 elliptic curve in the standard library. The bug was found by a Cloudflare engineer because it caused ECDSA verifications to fail erroneously but the security impact was initially unclear. We devised an adaptive bug attack that can recover a scalar input to ScalarMult by submitting attacker-controlled points and checking if the result is correct, which is possible in ECDH-ES. We reported this to the Go team, Go 1.7.6 and 1.8.2 were issued and the vulnerability was assigned CVE-2017-8932. At a high level, this P-256 ScalarMult implementation processes the scalar in blocks of 5 bits. We can precompute points that trigger the bug for each specific 5 bit value, and submit them. When the protocol fails, we learned 5 key bits, and we move on to the next 5, Hollywood style. In about 500 submissions on average we recover the whole key. ... https://www.youtube.com/watch?v=tWQaADGucCU