skip to main content

DEF CON China 1.0 Hacking Conference



English | 中文

Modern Malware:
de-obfuscation, emulation and rootkits

Alexandre Borges Security Researcher, Blackstorm Security

Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.

Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.

This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques.

Alexandre Borges is a Security Researcher, who has been working on Reverse Engineering, Malware Analysis and Digital Forensic Analysis for many years.

Usually, he teaches training courses about Malware and Memory Analysis, Digital Forensics, Mobile Forensics and Mobile Malware Analysis around the world. Furthermore, Alexandre is the creator and maintainer of Malwoverview triage tool:

Alexandre has spoken in several conferences such as DEFCON 2018, H2HC conference (2015 and 2016), BSIDES (2016, 2017 and 2018), BHack (2018), HITB 2019 (Amsterdam) and CONFidence Conference 2019 (Poland).

Twitter: @ale_sp_brazil

Mission Impossible: Steal Kernel Data from User Space

Yueqiang Cheng Staff Security Scientist, Baidu USA X-Lab

Zhaofeng Chen Staff Security Scientist, Baidu X-Lab

Yulong Zhang Principle Security Scientist, Baidu

Yu Ding Staff Security Scientist, Baidu X-Lab

Tao Wei Chief Security Scientist, Baidu X-Lab

With the introduction of GDPR and the emphasis on privacy, more and more companies and research institutions have begun to pay attention to data privacy protection. Among the protection schemes, using the kernel to protect private data plays an important role.

However, Meltdown and Spectre as a CPU vulnerability allow a rogue process to read the kernel data in CPU L1-d cache, even when it is not authorized to do so. Until now, the only effective mitigation approach was to isolate kernel memory from user-mode processes. This solution has different names on different platforms: Kernel Page-Table Isolation (KPTI) on Linux, Kernel Virtual Address (KVA) Shadow on Windows, and Double Map (DM) on OS X.

In this talk, however, we will prove the illusion that the strong isolation of KPTI has perfectly defeated Meltdown to be incorrect. First, we propose Variant V3r to demonstrate that Meltdown can be improved to be more powerful and reliable than what people originally thought. Variant V3r significantly increases the reliability for a rogue process to read any kernel data (not necessary in L1-d cache) on multiple platforms. Next, we further propose an even more powerful attack, Variant V3z, that allows a rogue process to bypass KPTI and reliably read any kernel data. To the best of our knowledge, V3z is the first Meltdown variant that is able to defeat KPTI.

To demonstrate the reliability, efficiency, and effectiveness of these two new variants, we will show demos that unprivileged processes can reliably leak secrets from anywhere in the kernel space, even in the presence of KALSR.

Finally, we will offer suggestions to mitigate our proposed threats, and we call for more and more parties to join in this effort to improve the security of processors and operating systems.

Yueqiang Cheng is a Staff Security Scientist at Baidu USA X-Lab. His research interests focus on System Security (e.g., SGX, Virtualization), Blockchain Security, and Side Channel Security.

Zhaofeng Chen is a security researcher from Baidu X-Lab, focusing on iOS/macOS security.

Yulong Zhang is currently working at Baidu conducting the research and development of the next generation methodologies to analyze advanced mobile malware, and to design security products to detect and defend mobile threats.

Yu Ding is a staff security scientist at Baidu X-Lab. His research interests are security issues around Intel SGX, secure decentralized systems, and security protocol analysis .

Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programing languages, and mobile security.

You are not hiding from me .NET

Aden Wee Jing Chung Threat Hunter, F-secure Countercept

For years, we at Countercept have seen adversaries across the threat pyramid make use of PowerShell tool-kits for lateral movement, data exfiltration and persistence over different environments. As defenders, we have done a pretty good job – PowerShell is a fading threat in time. Mimikatz execution through PowerShell? AMSI and PowerShell logging can handle that relatively well.

However, adversaries being adversaries don’t just give up. They have migrated tool-kits to areas where visibility is still limited – such as .NET. Favoured by adversaries due to its wide range of functionalities, ease of development, and default presence on modern Windows platforms, we have seen a significant increase in exploitation toolkits leveraging .NET to perform usual activities - but in an area where they are relatively hidden.

First, we’ll take a look at these tools - what they do, and how they work. Techniques such as DCOM object abuse, run-time code compilation and in-memory assembly loading (performed by the DotNetToJscript project) would be examine in detail. These techniques are used by exploitation tool-kits such as GhostPack, SharpShooter, and SilentTrinity, and thus are very relevant to defenders. We’ll then focus on detection. We’ll examine the indicators such toolkits and techniques leave behind, and how we can detect them utilising various sources of telemetry, collected via open-source tooling, such as process logging, DLLs imports and ETW tracing of JIT compilation or Interop events.

At the end of the day, attendees will walk away with an understanding of the inner workings of various .NET techniques as well as how they can be used to compromise a windows machine stealthily. Additionally, attendees will learn how a defender can leverage on open source tooling to detect and hunt for .NET attacks.

Aden performs hand to hand detection and response combat, with real world adversaries as part of his life as a Threat Hunter at Countercept. Armed with a rainbow colored keyboard, ensuring no activity is left undetected is Aden’s focus, regardless of toolkit, geographical origin, or sophistication.

Creating the DEFCON China 1.0 Badge

Joe Grand (Kingpin)

In honor of the first official DEFCON China event, we present to you a badge with a purpose. Created with the specific goal of bringing the DEFCON China community together, the badge is a fun, open source, hackable, and reusable electronic device.

Join badge designer Joe Grand as he guides you through the entire badge development process, including early concepts, prototyping, manufacturing, and all of the challenges he faced along the way.

Joe Grand (@joegrand), also known as Kingpin, is a computer engineer, hardware hacker, DEFCON badge designer, teacher, advisor, runner, daddy, honorary doctor, TV host, member of legendary hacker group L0pht Heavy Industries, and the proprietor of Grand Idea Studio ( He has been creating, exploring, and manipulating electronic devices since the 1980s. @joegrand (Twitter) and

IPv666 - Address of the Beast

Christopher Grayson Security Engineer, Bird Ride

Marc Newlin Security Engineer

Global adoption of IPv6 continues to grow, with Google reporting IPv6 as 25% of its client traffic. IPv6 comes with a slew of improvements from larger address space to self-organizing addressing to required support of multicast, but these improvements are a double-edged sword. With NAT going away, DHCP no longer being required, modern operating systems and networks supporting and preferring IPv6 over IPv4, ICMP being required for network operation, iptables not applying to IPv6, and multiple IP addresses being associated with individual interfaces, IPv666 conjures the perfect storm of fail open defaults.

Why, then, haven't more boxes been popped via IPv6? It turns out finding live hosts over IPv6 is a non-trivial problem (2^128 is a little bit bigger than 2^32)!

In this talk we will cover how we've approached solving the IPv6 address discovery problem. We'll cover the various mistakes we made, the predictive clustering model and neighboring address discovery that we've built into our ipv666 toolkit (with a new and improved discovery rate of 343 addresses per second), and the new web portal we've created that provides access to our aggregated IPv6 address data set. In providing this data and tool set we hope to enable researchers to evaluate the security posture of IPv6 hosts.

Chris Grayson (OSCE) is a security engineer at Bird Ride. In this roles he designs and implements distributed systems and addresses security issues at scale. Prior to joining Bird Rides Chris was a security engineer at Snap, Inc., a founder at Web Sight, a senior penetration tester at Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations Chris grew into both a breaker and a builder, becoming adept at compromising all manners of systems as well as designing and implementing mechanisms to protect them. Chris has spoken at numerous security conferences such as DEF CON, ToorCon, ShmooCon, and HushCon, and attended the Georgia Institute of Technology where he received two degrees and organized and lead the Grey H@t student hacking organization.

Marc is a security engineer by day, and SDR hacker by night, having disclosed wireless vulnerabilities to 21 vendors in the last two years. A glutton for challenging side projects, he competed solo in two DARPA challenges, although he never went to college. In 2013-14, Marc got into SDR by competing in the DARPA Spectrum Challenge, placing second in the preliminary tournament. In 2011, he wrote software to reassemble shredded documents, finishing the DARPA Shredder Challenge in third place out of 9000 teams.

Bridge Attack: Double-edged Sword in MobileSec

Zidong Han Tencent Mobile Security Labs,Razor Team

Bridge Attack(BA) is new attack surface for mobile phone and IoT devices in LAN. The abstract bridge is usually implemented by some custom schemes or protocols, such as Javascript Bridge in webview, Upnp Protocol in IoT. In some cases, the Bridge's expanded ability makes the risks of devices in LAN, and the vulnerability can be persistently exploited with a common web attack(Eg. XSS/CSRF)

Bridge Attack finds the potential vulnerability in communication between internal and external components. We think that external component gives more data-flow attack entries which should be checked identification in the internal component. That means bridge attack makes devices in LAN face more attack risks which can lead to remote code execution, sensitive data leak and IOT devices being controlled.

Zidong Han, is an android security researcher from Tencent Mobile Security Lab, Razor Team. Focuses on mobile security research, especially App vulnerability and IOT related security research, Attended HITB-SECCONF-2018-Beijing,as a speaker in CommSec:《Who Hijacked My Smart Home: One URL to Hack ALL IoT Devices 》Attended GeekPwn 2018, Hack Pwn in House. Found and exploited more than 20 vulnerabilities in eight kinds of IoT devices.

WeChat: hzddm12340

WARNING: Magnitude 10 Earthquake Is Coming in One Minute

Weiguang Li LTE Security Researcher from 360 Technology

JingLi Hao

Yuwei Zheng

Public warning system (PWS) based on mobile communication system is used to alert the public to emergency events such as earthquakes, tsunamis, hurricanes, etc. We carefully study the PWS in LTE network and uncover the vulnerability of PWS in LTE air interface, i.e., the warning messages of the PWS are not encrypted or signed when they are transmitted over the air. Thus, it is possible that malicious PWS warning messages can be transmitted.

We simply use a low cost soft define radio (SDR) device and modify not much code of the LTE open source project srsLTE in order to forge the warning messages. Both Apple and Android test mobile phones are affected by our forged warning messages.

Fake PWS warning messages will cause serious panics among the population, they also could be used to send advertising or spam messages. The public warning system may become paralyzed and useless under the threat of the abuse of fake warning messages.

Weiguang Li is a mobile network security researcher from UnicornTeam of 360 Technology Co. Ltd in China. He mainly focuses on GSM and LTE security, He is also interested in NB-IOT baseband reverse engineering and software-defined radio development. WeChat: ColorLight

Yuwei Zheng is a senior security researcher from 360 technology. He focuses on the security issues of embedded hardware and IOT systems. He was the speaker of DEFCON, HITB and BlackHat.

JingLi Hao is a researcher of 360 Security Research Institute, member of Unicorn Team, satellite hacker

Got To Glitch Them All: 10+ Years of War Stories Glitching Embedded and IoT Devices

Ramiro Pareja Technical Leader, Riscure Security Lab China

Fault injection, also known as glitch attacks, is a hardware hacking technique that has been successfully used to attack all kind of targets for more than 20 years. However, most of the security experts ignore about its existence or understates its risks. With the recent decrease on the tooling cost required to perform fault injection, these type of attacks have become affordable for the masses. At the same time, the generalization of secure coding practices and the rise of the IoT devices based on small SoCs is increasing the interest on these and other hardware attacks, as quite often nowdays they are the only resort to attack some electronic devices.

In this talk, we tell our war stories about performing fault injection attacks on a wide variety of devices used by different industries. Our real stories - a compendium of more than 10 years of experience as hardware security analysts - will cover the full spectrum what fault injection is about. We will be talking about shooting lasers, breaking military grade cryptography, unblocking locked devices, revealing the deepest secrets hidden in the hardware and much more. But not everything is lost for your electronic devices! We will also talk about how you can protect your hardware and software against these powerful attacks.

Ramiro Pareja is the technical leader of the Riscure security testing laboratory located in China. He has large experience on hardware security and he specializes on Embedded Systems and SoC security. In the last years, Ramiro has developed an interest and expertise in the automotive industry (embedded and connected technologies deployed in modern vehicles), applying fault injection and side channel attacks – very common in other markets like smartcards or content protection – to the automotive electronic systems.

If it has chips, he can break it ;)

Breaking the back end! It is not always a bug. Sometimes, it is just bad design!

Gregory Pickett Cybersecurity Operations, Hellfire Security

Reverse engineering is critical to exploitation. However, going through the process of reverse engineering can often lead to a great deal more than just uncovering a bug. So much so that you might find what you need for exploitation even if you don't find a bug.

That’s right. If you go through object data, object representation, object states, and state changes enough you can find out quite a lot. Yes. Poor application logic is a bitch. Just ask any application penetration tester. This time it is not the magstripe. It’s appsec and you will get to see how application attacks can be used against a hardware platform.

In this talk, I will go through the journey that I took in reverse engineering the public transportation system of an east asian mega-city, the questions that I asked as I wondered “How does this work?”, the experiments that I ran to answers those questions, what I learned that lead me to an exploit capable of generating millions of dollars in fake tickets for that very same system, and how other designers can avoid the same fate. Not without risk, this research was done under a junta so I will also be telling you how I kept myself out of jail while doing it. Please join me. You won’t want to miss it.

Gregory Pickett CISSP, GCIA, GPEN has a background in intrusion analysis for Fortune 100 companies but now heads up Hellfire Security’s Managed Security Services efforts and participates in their assessment practice as a network security subject matter expert. As a security professional, his primary area of focus and occasional research is networks with an interest in using network traffic to better understand, to better defend, and sometimes to better exploit the hosts that live on them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.


Attacks you can't combat: vulnerabilities of most robust mobile operators

Sergey Puzankov Telecom Security Expert, Positive Technologies

The mobile world is moving to 5G. However, there are billions of subscribers who still use old 2G and 3G networks. These networks rely on the SS7 (Signaling System #7) protocol stack that was developed in the 1970s. The SS7 stack was supposed to be used as an isolated network within a small club of large telephone operators, so nobody thought about upper-layer security mechanisms. Further development of SS7 brought the possibility of sending signaling traffic over IP networks. Thus, the SS7 stack got vulnerabilities “by-design” that allow an external intruder to perform such attacks as location tracking, service disruption, SMS and voice call interception. Mobile operators, equipment vendors, and non-commercial organizations (such as the GSMA - the association of mobile operators) are aware of the problem. They develop and implement security solutions mitigating threats from SS7 networks.

Our recent research shows that SS7 has vulnerabilities that allow bypassing any protection tools. Manipulation of parameters on different layers of an SS7 message may help an intruder to cheat a security tool and achieve the goal even with subscribers served by a well-protected network. The research findings were reported to the GSMA Coordinated Vulnerability Disclosure Programme and FASG (Fraud and Security Group). The report was used for a security recommendations update.

In this presentation, I will demonstrate how an intruder can use new SS7 vulnerabilities to bypass security tools. I will explain why it is possible and how network equipment reacts to malicious traffic. In addition, I will give recommendations to operators on how to make their networks more secure.

Sergey was born in 1976. He graduated from Penza State University with a degree in automated data processing and management systems in 1998. Before joining Positive Technologies in 2012, he worked as a quality engineer at VimpelCom. Being a security expert in telecommunication systems at Positive Technologies, he researches signaling network security and participates in audits for mobile operators around the world.

Sergey is also the general developer of the PT Telecom Vulnerability Scanner tool, member of the PT Telecom Attack Discovery development team, writes Positive Technologies annual reports on telecom security.

He is part of the team that revealed vulnerable points in popular two-factor authentication schemes using texts and demonstrated how easy it is to compromise Facebook, WhatsApp, Telegram accounts, and a Bitcoin wallet. Apart from that, Sergey actively contributes the results of security research and discovered vulnerabilities to global organizations, such as GSMA and ITU.

Twitter: xigins

Derevolutionizing OS Fingerprinting: The Cat and Mouse Game

Jaime Sanchez Global Security Research Lead, Telefónica

With the explosive growth and distributed nature of computer networks, it has become progressively more difficult to manage, secure, and identify Internet devices. An outsider has the capability to discover general information, such as which operating system a host is running, by searching for default stack parameters, ambiguities in IETF RFCs or non-compliant TCP/IP implementations in responses to malformed requests. By pinpointing the exact OS of a host, an attacker can launch an educated and precise attack against a target machine.

There are lot of reasons to hide your OS to the entire world:

  • Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
  • Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won't trust you any longer! In addition, these kind of 'bad' news are always sent to the public opinion.
  • Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference). For example if your system is a MS Windows, and you are running a database, it's highly likely that you are running MS-SQL.
  • It could be convenient for other software companies, to offer you a new OS environment (because they know which you are running).
  • And finally, privacy; nobody needs to know the systems you've got running.

This talk aims to present well-known methods that perform classification using application-layer traffic (TCP/IP/UDP headers, ICMP packets, or some combination thereof), old style approaches to defeat remote OS fingerprinting (like tweaking Windows registry or implement patches to the Linux kernel) and why this doesn't work with nowadays and could affect TCP/IP stack performance. We'll also present a new approach to detect and defeat both active/passive OS fingerprint with OSfooler-NG, a completely rewritten tool, highly portable, completely undetectable for the attackers and capable of detecting and defeating famous tools like nmap, p0f, Xprobe, pfsense and many commercial engines.

Sorry guys, OS fingerprinting is over...

Jaime Sánchez (aka @segofensiva) has worked for over 20 years as a specialist advisor for large national and international companies, focusing on different aspects of security such as consulting, auditing, training, and ethical hacking techniques. He holds a Computer Engineering degree and an Executive MBA. In addition, he holds several certifications, like CISA , CISM , CISSP , just to name a few, and a NATO SECRET security clearance, as a result of his role as advisory of many law enforcement organizations, banks and large companies in Europe and Spain.

He has spoken in renowned security conferences nationally and internationally, as in RootedCON , Nuit du Hack , Black Hat , Defcon , DerbyCON , NocOnName , Deepsec , Shmoocon or Cyber Defence Symposium , among others. As a result of his researches, he has notified security findings and vulnerabilities to top companies and vendors, like Banco Popular, WhatsApp, Snapchat, Microsoft, Apple etc.

He is a frequent contributor on TV (TVE, Cuatro, LaSexta, Telecinco), press (El Pais, El Mundo, LA Times, NBC News) and radio programs, and writes a blog called 'SeguridadOfensiva'

Twitter: @segofensiva

VoIPShark: Open Source VoIP Analysis Platform

Nishant Sharma R&D Manager, Pentester Academy

Jeswin Mathai Security Researcher, Pentester Academy

Ashish Bhangale Senior Security Researcher, Pentester Academy

Leveraging the packet switched network for making phone calls or VoIP has come a long way now. Today, it has already replaced conventional circuit switching based telephones from the large organizations and now moving to capture the non-commercial users. In this talk, we will focus on the traffic analysis based security analysis of SIP and RTP protocols which are one of the most popular protocols for VoIP. These protocols are already gaining new adopters on high rate and also replacing older protocols like H323.

We will discuss VoIPShark open source VoIP Analysis Platform which will allow people to analyze live or stored VoIP traffic, easily decrypt encrypted SRTP stream, perform macro analysis, generate summary specific to VoIP traffic/nodes and export calls/SMS/DTMF in popular user friendly file formats. We will also be releasing VoIPShark collection of Wireshark plugins written in Lua under GPL. VoIPShark is plug-n-play, easy to modify/extend and platform independent in nature. We will also discuss the currently available open source tools for SRTP decryption, their shortcomings and how VoIPShark address those.

Nishant Sharma is a R&D Manager at Pentester Academy and Attack Defense. He is also the Architect at Hacker Arsenal where he leads the development of multiple gadgets for WiFi pentesting such as WiMonitor, WiNX and WiMini. He also handles technical content creation and moderation for Pentester Academy TV. He has 6+ years of experience in information security field including 4+ years in WiFi security research and development. He has presented/published his work at Blackhat USA/Asia, Wireless Village, IoT village and Demo labs (DEFCON). Prior to joining Pentester Academy, he worked as a firmware developer at Mojo Networks where he contributed in developing new features for the enterprise-grade WiFi APs and maintaining the state of art WiFi Intrusion Prevention System (WIPS). He has a Master's degree in Information Security from IIIT Delhi. He has also published peer-reviewed academic research on HMAC security. His areas of interest include WiFi and IoT security, AD security, Forensics and Cryptography.

Twitter: @wifisecguy

Ashish Bhangale is a Senior Security Researcher at Pentester Academy and Attack Defense. He has 6+ years of experience in Network and Web Application Security. He has also worked with the state law enforcement agencies in the capacity of a Digital Forensics Investigator and was instrumental in solving IT fraud/crime cases. He was responsible for developing and testing the Chigula (WiFi Forensics Framework) and Chellam (First pure WiFi Firewall) frameworks. He has also created and managed multiple projects like Vulnerable Web Application OSes, Vulnerable Router Project and Damn Vulnerable Wordpress. He has presented/published his work at Blackhat, Wireless Village, IoT village and Demo labs (DEFCON). His areas of interest include Forensics, WiFi and AD security.

Jeswin Mathai is a Researcher at Pentester Academy and Attack Defense. He has published his work at Blackhat Arsenal and Demo labs (DEFCON). He has a Bachelor's degree from IIIT Bhubaneswar. He was the team lead at InfoSec Society IIIT Bhubaneswar in association with CDAC and ISEA, which performed security auditing of government portals, conducted awareness workshops for government institutions. He was also the part of team Pied Piper who won Smart India Hackathon 2017, a national level competition organized by GoI. His area of interest includes Malware Analysis and Reverse Engineering, Cryptography, WiFi security and Web Application Security.

Twitter: @jeswinMathai

Tag-side attacks against NFC

Christopher Wade

This talk covers tag-side attacks against NFC communication protocols, including cracking of Mifare encryption keys and performing targeted attacks against NFC readers. In addition, it will cover the design and creation of devices capable of emulating NFC tags down to the raw protocol using standard components and tools, with no abstraction to dedicated hardware, covering and expanding on the capabilities of available products. This talk will contain how 13.56MHz NFC works at a raw level, how tools can be built for analysing it, how the protocol can be implemented in full on standard Microcontrollers, and the security weaknesses present in its design.

Chris is a seasoned security researcher and testing consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.
@Iskuri1 on Twitter

How to perform security analysis on IoT equipment through building a base station system

XiaoHuiHui Senior Security Researcher, Baidu,Inc.

Every year billions more smart devices, like those in vending machines\automobile central controls\shared bicycles\smart watches, are connecting to the network using 2/3/4G technology. On one hand, we need to obtain the data of connections between devices and cloud to analyze and find the vulnerabilities. On the other hand, as latest devices do not have as many direct break-in points to exploit, sniffing and man-in-the-middle into 2/3/4G traffic seem to be the trending and effective attacks, which may cause serious security issues such as leaking confidential information and remote command execution etc.

In this talk, we will first show how to build a test GSM base station system under legal premise, and then introduce a new method (inspired from learnings on malicious BTS practices in China) which make the mobile devices connected to the test base station system automatically. Using this method, we can sniff and run MITM attack easily. This affects all kinds of devices using 2/3/4G. We will demonstrate 4 examples, which use this method to find the vulnerability and take control of the devices. At the end, we will present how to build a 4G LTE test base station to perform the fast and stable testing on mobile devices.

Shupeng is a member of Baidu Security Lab. He is an expert on IoT security, AI security, penetration testing, etc. He was invited to talk on multiple security conferences, and successfully pwned IOT equipments on XPwn 2016/2017/2018, GeekPwn May/October 2017, the biggest pwn competitions in China.

From Ancient to Modern: Diagnosing Root Cause of Software Vulnerabilities from unexpected Crashes

Xinyu Xing Assistant Professor, Penn State University. Research Scientist,

Jimmy Su Head of security center, Silicon Valley

Despite the best efforts of developers, software inevitably contains flaws that may be leveraged as security vulnerabilities. Modern operating systems integrate various security mechanisms to prevent software faults from being exploited. To bypass these defenses and hijack program execution, an attacker therefore needs to constantly mutate an exploit and make many attempts. While in their attempts, the exploit triggers a security vulnerability and makes the running process terminate abnormally.

After a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it barely serves as informative debugging aids in locating software faults, particularly memory corruption vulnerabilities. As such, previous research mainly seeks full reproducible execution tracing to identify software vulnerabilities in crashes. However, such techniques are usually impractical for complex programs. Even for simple programs, overhead of full tracing may only be acceptable at the time of in-house testing.

In this talk, we will introduce a reverse execution technique, which takes as input a core dump, reversely executes the corresponding crashing program and automatically pinpoints the root cause of the vulnerable site hidden behind the crash. In the process of performing reverse execution, our technique typically encounters uncertainty (e.g., uncertain control or data flow) which significantly influence the capability of identifying vulnerabilities. To tackle this problem, we augment the technique with deep recurrent neural network, which poses reverse execution with the ability to perfectly infer the control and data flow leading up to the program crash. To demonstrate the utility of this technique, we have already used it to analyze hundreds of crashes pertaining to more than 300 CVEs, and successfully pinpoint the vulnerable site corresponding to each crash. Along with this talk, we will release the tool developed under our technique and make it publicly available.

Dr. Xinyu Xing is an Assistant Professor at the Pennsylvania State University, and currently working at JD Inc. as a visiting researcher. His research interest includes exploring, designing and developing tools to automate vulnerability discovery, failure reproduction, vulnerability diagnosis (and triage), exploit and security patch generation. He was the speaker at BlackHat USA, BlackHat Europe and many academic conferences (e.g., USENIX Security and CSS). He has also received best paper awards from academic conferences such as CCS and ACSAC. His works have been featured by many mainstream media, such as Technology Review, New Scientists and NYTimes etc. He was also the organizer of NSA memory corruption forensics competition. xingxinyu1983 (wechat) (personal site)

Dr. Jimmy Su leads the JD security research center in Silicon Valley. He joined JD in January 2017. Before joining JD, he was the director of advanced threat research at FireEye Labs. He led the research and development of multiple world leading security products at FireEye, including network security, email security, mobile security, fraud detection, and end-point security. He led a global team including members from the United States, Pakistan, and Singapore from research to product releases on the FireEye's first machine learning based malware similarity analysis Cloud platform. This key technology advance was released on all core FireEye products including network security, email security, and mobile security. He won the Q2 2016 FireEye innovation award for his seminal work on similarity analysis. He earned his PhD degree in Computer Science at the University of California, Berkeley in 2010. After his graduation, he joined Professor Dawn Song's team as a post doc focusing on similarity analysis of x86 and Android applications. In 2011, he joined Professor Song in the mobile security startup Ensighta, leading the research and development of the automatic malware analysis platform. Ensighta was acquired by FireEye in December of 2012. He joined FireEye through the acquisition. JD security research center in Silicon Valley focuses on these seven areas: account security, APT detection, bot detection, data security, AI applications in security, Big Data applications in security, and IoT security.

Transferability of Adversarial Examples to Attack Cloud-based Image Classifier Service

Liu Yan (Dou Goodman) Senior Security Researcher, Baidu X-Lab

Hao Xin Security Researcher, Baidu X-Lab

Wang Yang Security Researcher, Baidu X-Lab

Wei Tao Chief Security Scientist, Baidu

In recent years, Deep Learning(DL) techniques have been extensively deployed for computer vision tasks, particularly visual classification problems, where new algorithms reported to achieve or even surpass the human performance . While many recent works demonstrated that DL models are vulnerable to adversarial examples.Fortunately, generating adversarial examples usually requires white-box access to the victim model, and real-world cloud-based image classifier services are more complex than white-box classification and the architecture and parameters of DL models on cloud platforms cannot be obtained by the attacker. The attacker can only access the APIs opened by cloud platforms. Thus, keeping models in the cloud can usually give a (false) sense of security.In this paper, we mainly focus on studying the security of real-world cloud-based image classifier services. Specifically, (1) We propose a novel attack methods, Fast Featuremap Loss PGD (FFL-PGD) attack based on Substitution model ,which achieve a high bypass rate with a very limited number of queries. Instead of millions of queries in previous studies, our methods find the adversarial examples using only two queries per image ; and (2) we make the first attempt to conduct an extensive empirical study of black-box attacks against real-world cloud-based classifier services. Through evaluations on four popular cloud platforms including Amazon, Google, Microsoft, Clarifai, we demonstrate that Spatial Transformation (ST) attack has a success rate of approximately 100% except Amazon approximately 50%, FFL-PGD attack have a success rate over 90% among different classifier services.

Liu Yan (Dou Goodman), Head of AI security team of Baidu X-Lab, is a technology writer of AI Safety Trilogy. His research interests include AI and network security. He starts the open source project Advbox.

Wang Yang is a senior security researcher of Baidu X-Lab. His interests lie in face recognition, adversarial learning, and data mining. He maintains and actively contributes to Advbox project that is an open source toolbox for AI safety.

Hao Xin has been engaged in security product development for many years in Baidu. His main research directions include object detection and image classification.

Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programming languages, and mobile security.

Face Swapping Video Detection with CNN

Wang Yang Security Researcher, Baidu X-Lab

Junfeng Xiong Security Researcher, Baidu X-Lab

Liu Yan Security Researcher, Baidu X-Lab

Hao Xin Security Researcher, Baidu X-Lab

Wei Tao Chief Security Scientist, Baidu

Recent developments of fabricating faces in videos such as Deepfakes have raised significant concerns that these deep learning techniques may be abused to create pornographic video or fake propaganda. In Deepfakes videos, the faces of a person are replaced with the faces of another one. And these faked videos are nearly indistinguishable for human. We find CNN-based networks can effectively distinguish DeepFakes videos from the real ones and present two effective methods. Firstly, we use a simple yet effective CNN architecture with several convolutional layers to build a powerful DeepFakes detector. Secondly, we find a FaceNet based method is an effective binary classifier. FaceNet is one of the state-of-the-art convolutional neural networks for face recognition, which could catch high-level features of faces. We use these features to train an SVM classifier. The two methods demonstrate successful detection reaching an accuracy rate of 99% and 94% respectively among our tests.

Wang Yang is a senior security researcher of Baidu X-Lab. His interests lie in face recognition, adversarial learning, and data mining. He maintains and actively contributes to Advbox project that is an open source toolbox for AI safety.

Junfeng Xiong(Jay Xiong) is an AI security researcher at Baidu X-Lab. His research interests cover deep learning security, privacy and IOT.

Liu Yan (Dou Goodman), Head of AI security team of Baidu X-Lab, is a technology writer of AI Safety Trilogy. His research interests include AI and network security. He starts the open source project Advbox.

Hao Xin has been engaged in security product development for many years in Baidu. His main research directions include object detection and image classification.

Dr. Tao (Lenx) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programming languages, and mobile security.

The art of game security

Joey Zhu Expert/Director

The game security is a branch of security without noteworthy, but the problems is critical for game survival. The underground economy cost billions of dollars loss from game, the presentation will discover some founding at underground economy at first. In the main part of presentation will show some techniques details of game hacks with comparison of traditional security problem. The last part will discuss some protection countermeasures against those hacks and exploits.

Joey Zhu is an expert and director at Tencent, and working on Game Security since 2013. Previously, he was an architect and researcher at Trend Micro China from 2005 to 2012. His major work focus on PE virus sandbox, Script Analysis Engine on web threats and Game Security solution. He was honored to be a speaker on the topic “Chinese phishing at DEF CON 19”, in Las Vegas, in 2011.

WeChat: joey-nj

Chinese Mechanical Locks - An Insight into a Unique World of Locks

Lucas Zhao UrbanHawk

In most of the world, the lock market is pretty unremarkable. However, there is a whole other world of lock designs that are sold exclusively to the Chinese domestic market. This presentation will discuss a variety of topics regarding Chinese mechanical lock designs, from the unique dynamics of the market that fostered these designs, to flaws present in these designs, as well as how we can use some of these principles present in these locks for use in other situations.

Lucas Zhao (UrbanHawk) is a 19-year-old lockpicker (albeit a mediocre one) with a special interest in Chinese locks, and an avid collector of locks from all over the world. He has been dissecting and researching locks since he was 10 years of age, and has a fairly comprehensive knowledge of all things related to locks. He loves to talk endlessly about his lock interests to anyone who will listen, much to the annoyance of his friends, who now avoid actively avoid him. He currently attends Case Western Reserve University in Cleveland, OH as an undergraduate student.

Twitter: @TheUrbanHawk

Hacking Driverless Vehicles


Did you watch Total Recall and wish you could fuck up JohnnyCab? Driverless vehicles are here at last and practically ripe for the hacking. Autonomous and unmanned systems already patrol our skies and oceans, and are being tested on our streets, highways and sidewalks. All trends indicate these systems are at an inflection point that will show them rapidly becoming commonplace. It is therefore a salient time for a discussion of their capabilities and potential vulnerabilities.

This session will be an informative and light-hearted look at the current state of civil driverless vehicles and what hackers or other reprobates might do to mess with them. Topics covered will include the full suite of common and proposed sensors, decision profiles and potential failure modes that could be exploited. This talk aims to both inspire unmanned vehicle designers and end users to think about robustness to adversarial and malicious scenarios, and to give the paranoid false hope of resisting the robot revolution.

Zoz is a robotics interface designer and rapid prototyping specialist. As co-host of the Discovery Channel show 'Prototype This!' he pioneered urban pizza delivery with robotic vehicles, including the first autonomous crossing of an active highway bridge in the USA, and airborne delivery of life preservers at sea from an autonomous aircraft. He, for one, welcomes our new robot chauffeurs, and would only mess with them out of tough love.