Black Hat USA 2018 - The Problems and Promise of WebAssembly
WebAssembly is a new standard that allows assembly-like code to run in browsers at near-native speed. But how does WebAssembly work, and how does it execute code while maintaining the security guarantees of a browser? This presentation gives an overview of the features of WebAssembly, as well as examples of vulnerabilities that occur in each feature. It will also discuss the future of WebAssembly, and emerging areas of security concern. Learn to find bugs in one of the newest and fastest growing parts of the browser! ... https://www.youtube.com/watch?v=iZ2fEk2EA6M
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=ftRbH2pmMWo
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=vr-XdXexaeo
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=7ojpKOlWQII
We are hackers, we won't do as you expect or play by your rules, and we certainly don't trust you. JAR files are really ZIPs…unzip them! So are Microsoft's DOCX, XLSX, PPTX, etc. Let's open them up! macOS applications (.app "files") are really directories you can browse?! Sweet, let's do that.
Less well known but similarly prevalent are Flat Package Mac OS X Installer (.pkg) files. These are actually XAR archives that, among other things, contain many plaintext files (including shell, Perl, and Python scripts) as cpio files compressed using gzip.
In this presentation I'll walk you through extracting the contents of these installer packages, understanding their structure, and seeing how they work while highlighting where security issues can come up. To drive the point home of what can go wrong, I'll include examples of serious security issues I've seen in the wild and show you how they can be exploited to elevate privileges and gain code/command execution.
After this talk, .pkg files will no longer be opaque blobs to you. You'll walk away knowing tools and techniques to tear them open, understand how to evaluate what they're really doing on your computer, and a methodology for finding bugs in them. As a final bonus, I'll include a subtle trick or two that can be used on red teams.
Talk by Andy Grant
...
https://www.youtube.com/watch?v=iASSG0_zobQ
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=x2d4NlGWbT4
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=3N29vrPoDv8
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=E4rfX8JcfKQ
Javier Vazquez Vidal Hardware Security Specialist at Code White Gmbh
Ferdinand Noelscher Information Security Specialist at Code White Gmbh
The CAN bus is really mainstream, and every now and then there are new tools coming out to deal with it. Everyone wants to control vehicles and already knows that you can make the horn honk by replaying that frame you captured. But is this all that there is on this topic? Reversing OEM and third party tools, capturing firmware update files on the fly, and hijacking Security Sessions on a bus are just a few examples of things that can be done as well. For this and more, we will introduce to you the CanBadger! It's not just a logger, neither an injector. It's a reversing tool for vehicles that allows you to interact in realtime with individual components, scan a bus using several protocols (yup, UDS is not the only one) and perform a series of tests that no other tool offers. The CanBadger is where the real fun begins when dealing with a vehicle, and you can build it under $60USD! If you are already done with replaying frames on the CAN bus and want to learn how that fancy chip-tuning tool deals with your car, or simply want to get Security Access to your vehicle without caring about the security key or algorithm, we are waiting for you!
Javier Vazquez Vidal is passionate about technology and specializes in hardware and embedded systems security. He studied Electromechanics and Telecommunications, developing a passion for electronics and technology since his youth. He has been part of several projects that involved well-known hardware, but his first public work was presented at DEF CON 21, the ECU tool. He developed the CHT, a tool to take over the CAN network, and had some fun with the ‘paella country’ smart meters. He is currently working as a Product Security Engineer at Code White GmbH, and has worked at companies such as Tesla, Daimler, Airbus Military and Visteon.
Ferdinand Noelscher is an information security researcher from Germany. He has been working in Information Security for several years now. Ferdinand is very passionate about Offensive Security research and has been working on numerous embedded security projects, and some lasers too. Furthermore, he gave a training together with Javier at hardwear.io. He is currently a Security Researcher at Code White.
...
https://www.youtube.com/watch?v=MVh3fwmk-AU