skip to main content

DEF CON China Hacking Conference



English | 中文

Welcome to DEF CON China

The Dark Tangent, Zhang Yaqin, & Ma Jie

Androsia: Securing 'Data in Process' for your Android Apps

Samit Anwer

Each Android app runs in its own VM, with a limited heap size for creating new objects. The Android OS/app doesn't differentiate between regular objects and objects that contain security sensitive information. These critical objects are kept around in the heap until the OS hits a memory constraint. The OS then chooses to invoke garbage collector in order to reclaim memory from the apps. Java does not provide explicit APIs to reclaim memory occupied by objects. This leaves a window of time where the security critical objects live in the memory and wait to be garbage collected. During this window a compromise of the app can allow an attacker to read the credentials. This is a needless risk every Android application lives with today. We propose a tool called Androsia, which performs a summary based interprocedural data flow analysis to determine the points in the program where security sensitive objects are last used (so that their content can be cleared). Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values. Attendees will learn: a) why* APIs for destroying objects are not upto the mark?, b) the key terms used in data flow analysis with live examples and finally, c) how Androsia protects data in process of Android apps?

Samit Anwer is a Web/Mobile Application security researcher. Soon after completing his Master's degree from IIIT Delhi in Mobile and Ubiquitous Computing he joined Citrix R&D India as a Product Security researcher.

He is actively involved with vulnerability research in popular Web/Mobile apps and has responsibly disclosed several security vulnerabilities with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, Microsoft's OAuth 2.0 implementation and buffer overflows on MS Edge/IE 11.

He is an active member of the Null Bangalore Chapter, IEEE community and has spoken on various security topics at BlackHat Asia Singapore (2018), AppSec USA, Orlando (2017), c0c0n X, Kerala (2017), CodeBlue, Tokyo (2017), and Null meets (2015, 2016, 2017)

His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms. His publications can be found here:

Triton and Symbolic Execution on GDB

Weibo Chen

I Introduce the concept of symbolic execution and Triton. ( Detailed steps of how I design and develop SymGDB( I Will also explain the architecture design, what kind of problem I met, and how to debug when I develope SymGDB. At the end, compare the differences between Triton and other symbolic execution framework.

Weibo Chen, is Co-founder of NCTUCSC( and member of Bamboofox CTF team. Recently, he got his master degree from National Chiao Tung University. He focuses on symbolic execution and binary exploit. His passion is for security education and security research. He loves to share knowledge with other people.

Spreading malware with Google (Nice Quilombo)

Fabian Cuchietti
Gonzalo Sanchez

Google products have a good reputation and are synonymous with reasonably high and reliable levels of security. However, in this talk, Fabian and Gonzalo will focus to show a case of how Google Earth will be the vector attack to make an antimalware evasion by a technique of malware injection into memory, and evading the Google Earth sandbox.

Three scopes will be covered during the conference:

- Google Session Hijacking
- Remote Code Execution (Remote Shell)
- Javascript malware execution (Monero Minning)

Fabian Cuchietti (Argentina '90) started in the security world at a very young age. Member of the Hall of Fame of companies such as Google, Facebook, Apple, Microsoft, Mozilla or Paypal. He was one of the first south american members of Synack's Red Team. Since 2015 he has been working as Red Team Member at Internet Security Auditors.

Gonzalo Sanchez (Spain '81) is Red Team Leader in Internet Security Auditors and is manager of the hacking team of Madrid, Barcelona and Bogotá.

Fabian and Gonzalo meet at ISEC Auditors and are working together building crazy big things.

You Logged Into My Account


This topic describes some ways for inducing victims to log into an attacker's account on the Internet, which can result in some vulnerabilities and attack scenarios.Meanwhile, this topic will also mention how to fix it.This kind of security risk is often overlooked, while it can provide important help for some use of vulnerabilities, even combining some of the low-risk vulnerabilities or features of CSRF, selfxss, OAuth, and SSO, etc. to steal login credentials, bind third-party backdoors accounts, steal privacy, access others’ resources, conduct phishing attacks and implement fraudulent use of identity, etc.

Network ID: Daizibukaikou. He is skillful in web security and once worked for Internet companies such as Sina, Nokia, Meituan, and Xiaomi on information security. He is currently working for Antfin as a security expert, and is responsible for the system and network security.

I Am Groot: Examining the Guardians of Windows 10 Security

Chuanda Ding Tencent Security Xuanwu Lab

Being one of the main targets of 3 Pwn2Own competitions, Microsoft Windows 10, along with Microsoft Edge, is proven more and more difficult to exploit.

Now Windows 10 has been released for more than 2 years, Microsoft has been constantly updating the security mitigations integrated with the operating system. After 5 major releases, multiple levels of protections have been added to prevent a programming error from turning into a full system compromise.

You may have heard many of them marketed as "Guards" under the Windows Defender brand. But how do they actually work?

As Pwn2Own participants (and winners), we closely watched Windows 10 security evolve over the years.

In this talk, you will get a behind-the-scene view of Windows 10 security mitigation implementations, how it helped make attackers' life harder, and how the attackers overcame it.

Chuanda Ding is a senior security researcher at Tencent Security Xuanwu Lab, conducting research on Windows security.

He spoke at CanSecWest 2016, QCon Beijing 2016 and CanSecWest 2017.

Hacking Intranet from Outside: Security Problems of Cross Origin Resource Sharing (CORS)

Dr. Haixin Duan professor at the Institute for Network Science and Cyberspace, Tsinghua University

Jianjun Chen PhD student, Tsinghua University

The default Same Origin Policy essentially restricts access of cross-origin network resources to be “write-only”. However, many web applications require “read” access to contents from a different origin, so developers have come up with workarounds, such as JSON-P, to bypass the default Same Origin Policy restriction. Such ad-hoc workarounds leave a number of inherent security issues. CORS (cross-origin resource sharing) is a more disciplined mechanism supported by all web browsers to handle cross-origin network accesses. In this talk we present our empirical study about the real-world uses of CORS. We find that the design, implementation, and deployment of CORS are subject to a number of new security issues: 1) CORS relaxes the cross-origin “write” privilege in a number of subtle ways that are problematic in practice; 2) CORS brings new forms of risky trust dependencies into web interactions; 3) CORS is generally not well understood by developers, possibly due to its inexpressive policy and its complex and subtle interactions with other web mechanisms, leading to various misconfigurations. Finally, we propose protocol simplifications and clarifications to mitigate the security problems uncovered in our study.

Dr. Haixin Duan is a professor at the Institute for Network Science and Cyberspace, Tsinghua University.He was once a visiting scholar at UC Berkeley and a senior scientist in International Computer Science Institute(ICSI). Dr. Duan has been working on network security for more than 20 years. His recent research interests include protocol security, intrusion detection, underground economy detection and etc. Some of his research results were deployed by industries like Baidu, and published in top security conferences like Security & Privacy, USENIX Security, CCS and NDSS.

Jianjun Chen: is a PhD student at Tsinghua University supervised by Prof. Haixin Duan. In 2015, he visited UC Berkeley under the direction of Prof. Vern Paxson. Currently he has published three papers on top security conferences(NDSS, CCS, IEEE S&P). Among them, the NDSS paper on CDN forwarding loop attacks has won the conference's "Distinguished Paper Award". It is the first time that a Chinese scholar wins this award as the first author in top security conferences. His research work are not only recognized by the academic community, but also help many well-known industrial companies(eg. AKamai, Cloudflare, Tencent) and open-source software(eg. Squid) to fix multiple severe vulnerabilities.

Lessons Learned from Five Years of Building Capture the Flag

Vito Genovese Member, Legitimate Business Syndicate

Capture the Flag is the ultimate test of hacker skill, and DEF CON is the oldest and most prestigious CTF venue. After five years running DEF CON CTF with Legitimate Business Syndicate, our journey running this series of games has come to a close, but what remain are the lessons we learned along the way.

This presentation will cover topics about all aspects of CTF organization: the history of CTF, building a cross-functional organizing team that sticks together year after year, developing a game infrastructure that handles the onslaught of attacks from players, and the stories behind some of the most difficult CTF challenges ever built.

Vito Genovese is a founding member of Legitimate Business Syndicate, organizers of DEF CON Capture the Flag from 2013 to 2017. Vito's work included building infrastructure for distributed software development, designing and building both cloud-based and on-site scoring systems for CTF, visual design and branding of competition materials, picking fonts, sourcing coffee and other beverages, and writing public material for the Legitimate Business Syndicate blog and Twitter accounts.

Fooling Image Search Engine

Yuanjun Gong
Bin Liang
Jianjun Huang

Our work brings to light that Content-Based Image Retrieval (CBIR) systems, which are commonly used in image search engines, can be potential attack targets of adversaries. In this work, we present the threat model of evading the CBIRs. Specifically, we focus our work on the SIFT/SURF based CBIRs and propose several algorithms for removing/injecting the key points in images to bypass the algorithms. We apply the RMD algorithm and our algorithm to remove the SIFT and SURF key points respectively. Moreover, we inject SIFT key points into images with our IMD algorithm (inverting the operation of RMD) or surround an image with a frame filled with ‘basic bricks’. We evaluate the algorithms on an image indexing engine VisualIndex with three strategies: removal only, injection only and hybrid. The experimental results show the effectiveness of bypassing the engine. With the algorithms and strategies, we succeed in evading Google Image Search Engine, which can be considered as a black-box CBIR system, while the utility of the image is preserved. We also demo the possibility of source/target attack. To conclude, our work proves the existence of threats to CBIR systems and demonstrates that industrial-level Image Search Engines, such as Google Image Search, are prone to be attacked with adversarial images.

Yuanjun Gong is an undergraduate student at Rennin University of China, majoring in Information Security.

Bin Liang received the Ph.D. degree in Computer Science from Institute of Software, Chinese Academy of Sciences. He is currently a Professor at School of Information, Renmin University of China. His research interests focus on program analysis, vulnerability detection, and Web security.

Jianjun Huang received the Ph.D. degree in Computer Science from Purdue University. He is currently an Assistant Professor in Renmin University of China. He is now focusing on detecting vulnerability in destktop/mobile/Web applications.

Security Research Over the Windows (kernel)

Peter Hlavaty Senior Security Researcher at Keenlabs Tencent

Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.

Peter ( @zer0mem ) is Senior Security Researcher at KeenLab, Tencent. Focusing mainly on sandbox escapes on windows platform, virtualization, and mitigation bypasses. Pwn2Own 2016..2017 winner, frequent speaker at software security conferences like recon, bluehat, zeronights, syscan, and others.

Bugs Aren't Random: A Unified Perspective on Building and Breaking

Dan Kaminsky Chief Scientist, White Ops

It can take looking at a few thousand bugs, but eventually hacking feels like getting really good at telling the same joke, over and over again. It's OK, the computer still laughs, but why isn't software engineering delivering the reliability and predictability of other engineering disciplines?

That's a question with an answer. It's not an easy answer, like "devs are lazy" or "tools are bad". Who are hackers to complain about either? But it's an answer I intend to explore, in true hacker fashion, by seeing traditional boundaries as mostly false, but useful for identifying what to fuzz.

Why should we separate the humans that write bugs, from the tools the tools they use? Humans write tools. Why these tools in particular?
Why would we separate forward and reverse engineering, dev from test? Wait, are those the same thing? Does any other field isolate the creator from the consequences of their creation?

Is this going to be just some fluffy exploratory keynote? No, this is way too long a flight for that. We're going to talk about where I think software and hardware architecture is going to go, with actual code you're welcome to try to break. I'll tell you exactly where to look.

Should be fun.

Dan Kaminsky Dan Kaminsky has been hacking professionally for almost twenty years. A well known speaker at conferences such as Black Hat and Defcon, Dan is the Co-Founder and Chief Scientist of White Ops, and is one of seven Recovery Key Shareholders for the Internet's Domain Name System. Dan's research spans a wide variety of topics, but he gets the coolest emails from kids who use his iPhone app to correct their color blindness. It's called DanKam, because of course it is, and he's telling you this so he has to get it back on the iPhone store already.

Smart Contract Hacking

Konstantinos Karagiannis CTO, Security Consulting, BT Americas

Smart contract hacking always makes headlines. Typical incidents can cost millions or even hundreds of millions in losses. And the problem doesn't seem to be going away. Recent independent scans show 34,200 vulnerable smart contracts lurking on the Ethereum blockchain. It's time to help these developers secure their code and foster a new generation of hardened SDLC practices. Ethereum has fantastic Turing-complete functions awaiting our use, and Solidity smart contracts are a crucial way that the Enterprise Ethereum Alliance, Quorum, and other entities plan on moving to Web 3.0. Ethical hacking of all this new code is a necessary service and excellent way to cash in (ethically).

Join Konstantinos for a look at a Solidity hacking methodology that can be applied right away, including the latest open source tools.

Konstantinos Karagiannis is the Chief Technology Officer for Security Consulting at BT Americas. In addition to guiding the technical direction of ethical hacking and security engagements, Konstantinos specializes in hacking financial applications, including smart contracts and other blockchain implementations. He has spoken at dozens of technical conferences around the world, including DEFCON, Black Hat Europe, RSA, and ISF World Security Congress.

Beyond Adversarial Learning — Data Scaling Attacks in Deep Learning Applications

Kang Li Director, Institute for Cybersecurity and Privacy, University of Georgia

In this presentation the speaker will demonstrate attacks that target the data scaling process in popular deep learning examples. By carefully crafting input data that mismatches with the scales used by deep learning models, the speaker will show how an attacker can successfully evade image classification even when applications use well-trained deep learning models. The speaker will also present a few potential defending strategies to detect or mitigate such data-flow attacks.

Kang Li is a professor of computer science and the director of the Institute for Cybersecurity and Privacy at the University of Georgia. His research results have been published at academic venues, such as IEEE S&P, ACM CCS and NDSS, as well as industrial conferences, such as BlackHat, SyScan, and ShmooCon. Dr. Kang Li is the founder and mentor of multiple CTF security teams, including SecDawg and Blue-Lotus. He is also a founder and player of the Team Disekt, a finalist team in the 2016 DARPA Cyber Grand Challenge.

Passwords in the Air: Harvesting Wi-Fi Credentials from SmartCfg Provisioning

Changyu Li
Quanpu Cai

Smart devices without an interactive UI (e.g., a smart bulb) typically rely on specific provisioning schemes to connect to wireless networks. Among all the provisioning schemes, SmartCfg is a popular technology to configure the connection between smart devices and wireless routers. Although the SmartCfg technology facilitates the Wi-Fi configuration, existing solutions seldom take into serious consideration the protection of credentials and therefore introduce security threats against Wi-Fi credentials.

We conduct a security analysis against eight SmartCfg based Wi-Fi provisioning solutions designed by different wireless module manufacturers. Our analysis demonstrates that six manufacturers provide flawed SmartCfg implementations that directly lead to the exposure of Wi-Fi credentials: attackers could exploit these flaws to obtain important credentials without any substantial efforts on brute-force password cracking. Furthermore, we keep track of the smart devices that adopt such Wi-Fi provisioning solutions to investigate the influence of the security flaws on real world products. Through reversely analyzing the corresponding apps of those smart devices we conclude that the flawed SmartCfg implementations constitute a wide potential impact on the security of smart home ecosystems.

Changyu Li graduated from Xidian University with the major of Information Security. After graduated, he continues studying at Shanghai Jiao Tong University, focusing on software security. He is now a member of Lab of Cryptology and Computer Security (LoCCS). He takes an interest in the security and privacy of Internet of Things; especially, smart home. Also, he is a big fan of CTF games.

Quanpu Cai, a undergraduate student at Shanghai Jiao Tong University with the major of Cyber Security, now as a member of Lab of Cryptology and Computer Security (LoCCS). His interest covers a large span of security, including reversing and exploiting, mainly related to the area of Internet of Things.

Transparent Malware Debugging on x86 and ARM

Zhenyu Ning Ph.D. candidate, Wayne State University
Fengwei Zhang Assistant Professor, Wayne State University

With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Existing malware analysis platforms leave detectable fingerprints like uncommon string properties in QEMU, signatures in Linux kernel profiles,and artifacts on basic instruction execution semantics. Since these fingerprints provide the malware a chance to split its behavior depending on whether the analysis system is present or not, existing analysis systems are not sufficient to analyze the sophisticated malware. In this talk, we present the framework for transparent malware analysis, which leverages the hardware features in existing PC and mobile devices to increase the transparency of malware analysis. In particular, we introduce MalT on the x86 architecture and Ninja on the ARM architecture. MalT uses the system management mode as the execution environment and performance monitor unit as hardware assistant to facilitate the analysis, whereas Ninja involves the TrustZone technology and embedded trace macrocell to improve the transparency. Moreover, both MalT and Ninja are OS-agnostic, and do not require modification to the operation system or the target application.

Zhenyu Ning is a Ph.D. candidate with the Computer Science Department at Wayne State University. He received his master degree in computer science from Tongji University in 2011. His research interests are in the areas of hardware-assisted system security, embedded systems, and trusted execution environments.

Fengwei Zhang is an Assistant Professor with the Computer Science Department at Wayne State University. He received his Ph.D. degree in computer science from George Mason University in 2015. His research interests are in the areas of systems security, with a focus on trustworthy execution, transparent malware debugging, transportation security, and plausible deniability encryption. He is a recipient of the Distinguished Paper Award in ACSAC 2017.

From Dark Visitors to Valued Allies: The Evolution of the Hacker Community in Asia and Around the World!

Jayson E. Street

Jayson E. Street will take the attendees on a journey through time and around the world. Exploring one of the most difficult questions that faces our community. What is a Hacker? He'll focus on famous Chinese hackers throughout history and how we all connect through a global community. Be prepared to have your beliefs challenged and hopefully some questions answered.

Jayson E. Street is an author of the "Dissecting the hack: Series". Also the DEF CON Groups Global Ambassador. Plus the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon and at several other 'CONs and colleges on a variety of Information Security subjects. *He was a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time's persons of the year for 2006.

When Memory-Safe Languages Become Unsafe

Mingshen Sun Researcher, Baidu X-Lab

Yulong Zhang Senior Staff Security Scientist, Baidu X-Lab

Dr. Wei Tao Chief Security Scientist, Baidu

Fatal bugs introduced by non-memory-safe languages (C/C++/etc.) are one of the oldest yet persistent problems in computer security. To alleviate this issue, there has been an emerging trend to re-implement programs using memory-safe languages (Rust/Go/Swift/etc.). By using such languages, developers usually have an illusion that they have obtained 100% guarantees of type soundness, memory-safety, and thread safety.

However, through our assessment of a wide range of open-source projects, we found that this assumption is not correct and sometimes can lead to dangerous consequences. We collected and analyzed more than 10,000 Rust programs. All of these programs rely on libc, and at least 25% depend on extra unsafe C/C++ libraries. These libraries break Rust's memory-safety promise and also expose users to great threats. Unfortunately, the inclusion of C/C++ libraries are agnostic to developers, leaving the issue unnoticed. What's more, some of the C/C++ libraries are statically linked. This leads to fragmentation and makes it challenging to carry out a scalable patching.

Even if a program is fully developed using memory-safe languages, memory security issues can still occur. Rust allows developers to write unsafe code using "unsafe" keyword, but some libraries wrap unsafe code and re-export as "safe" functions. If developers use these "safe" functions, they are not aware of the unsafety introduced by these libraries. Moreover, we will show that some of the memory-safe languages fail to zero-out memory regions on object destruction, which can lead to secret memory leakages.

To illustrate the real-world threats, we will provide a few detailed case studies and live demos where programs developed by memory-safe languages can still be exploited via memory bugs. Finally, we will offer suggestions and provide tools for developers/users to achieve a sustainable ecosystem.

Mingshen Sun is a senior security researcher of Baidu X-Lab at Baidu USA. He received his Ph.D. degree from The Chinese University of Hong Kong. His interests lie in solving real-world security problems related to system, mobile, IoT devices and cars. He maintains and actively contributes to the MesaLock Linux project, a memory-safe Linux distribution.

Twitter: @MingshenSun

Dr. Wei (Lenx) Tao is the Chief Security Scientist at Baidu, and Adjunct Professor at Peking University. He was also a co-organizer of the BitBlaze Group in UC Berkeley. His research interest lies in security architecture, programming languages and machine learning. Beside defending Baidu against various kinds of attacks, he also initiates, directs and promotes several important open-source security projects of Baidu, such as MesaLock Linux (a memory-safe Linux distribution), Rust SGX SDK, OpenRASP, etc.

From Memory Safety to Non-bypassable Security

Dr. Wei (Lenx) Tao Chief Security Scientist at Baidu, and Adjunct Professor at Peking University

Security researchers and engineers have worked hard for decades to protect software written in memory unsafe languages like C or C++, but real world exploits show that all currently deployed protections can be defeated. Therefore, memory safe programming languages like Rust or Go get more and more attention. However, there is still a significant gap between memory safety and formal verification -- i.e. memory safety cannot guarantee that your software is vulnerability-free, and formal verification for general software is still too complex to be adopted widely.

In this talk, we propose Non-bypassable Security Paradigm (NbSP), which bridges memory safety and formal verification. The "Non-bypassable" property was introduced by MILS (Multiple Independent Levels of Security/Safety) and it requires that one component cannot use another communication path, including lower level mechanisms to bypass the security monitor. NbSP combines program analysis and specifications to ensure that critical check points are non-bypassable. In this way, NbSP reduces attack surfaces significantly, and makes it practical for either detailed manual inspection or further formal verification of authentication, authorization and auditing.

Dr. Wei (Lenx) Tao is the Chief Security Scientist at Baidu, and Adjunct Professor at Peking University. He was also a co-organizer of the BitBlaze Group in UC Berkeley. His research interest lies in security architecture, programming languages and machine learning. Beside defending Baidu against various kinds of attacks, he also initiates, directs and promotes several important open-source security projects of Baidu, such as MesaLock Linux (a memory-safe Linux distribution), Rust SGX SDK, OpenRASP, etc.

DEF CON Groups Panel

Peter Wesley
Tielei Wang
Changsheng Gao
Xinpeng Liu
Jun Li
April C. Wright
Jayson E. Street

Have you ever felt frustrated that the super cool DEFCON only happen once a year in Las Vegas? Visa,flights,time,language,distance are all possible reasons that prevent you from enjoying DEFCON. Well, thanks to DEF CON groups, you're able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us! Most importantly, local DEFCON Groups are the platforms to unite us all to achieve causes, to inspire others,regardless of their background, race.

In this talk, you'll hear from DEF CON's founder Dark Tangent, the Ambassador of DEF CON groups Jayson E. Street, DEFCON GROUP 010 founder Jun Li who is also moderating the panel, DEFCON GROUP 617 founder April C. Wright,DEFCON GROUP 86021 founder Tielei Wang, DEFCON GROUP 86755 founder Peter Wesley, DEFCON GROUP 0571 founder Changsheng Gao, DEFCON GROUP 0531 founder Xinpeng Liu . They will first discuss what is hacking,the spirit of hackers,what are the differences between different hacker communities,what interesting experiences can different groups learn from each other,then they will discuss how hacker spirit is contributing to the society in good ways,discuss how to cultivate the next generation of security professionals (aka hackers),finally they will talk about some future projects they might be able to cooperate on,for example go to the remote areas to inspire kid to learn and use technology to change the world.

Founders of their own local DEF CON groups will also discuss the awesome projects of their groups, as well as projects from other groups, to give ideas to take back to your own DEF CON group. Projects we'll discuss range from custom badge build, IoT devices, vintage gaming systems, custom built routers, smarthome devices and more!

Peter Wesley is a security researcher based in Shenzhen, China, where he runs a consultancy specializing in product security services. He has over 20 years experience in IT security, predominately in the Finance and Telecommunications industries, and has previously worked for Huawei Technologies in China, and NBN Co and Hacklabs in Australia. Peter is the organizer of the DC86755, the DEFCON group in Shenzhen.

Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON. He is the POC of DC86021, the DEFCON group in Shanghai.

Changsheng Gao(aka Fuhei)is an enthusiast of Web security, he is one of the leaders of Whitecap 100 security team, leader of CTF team W&P,he is also the POC of DEFCON GROUP 0571, the DEFCON group in Hangzhou.

Xinpeng Liu is a security researcher from EversecLab, he is focused on web security,botnet tracking and malware analysis. He is speaker of DEFCON GROUP 010. He is the POC of DC0531,the DEFCON group in Jinan.

Jun Li is a security researcher at UnicornTeam in the Radio Security Research Department of 360 Security Technology. He is interested in hardware security, connected car security, wirelfess security. He presented his research about wireless hacking and car hacking at Blackhat, DEFCON, HITB, CanSecWest, Syscan360, etc. He is the author of three books,《无线电攻防大揭秘》、《智能汽车攻防大揭秘》、《Inside Radio: An Attack and Defense Guide》,He is member of DEFCON GROUPS GLOBAL ADVISORY BOARD,the POC of DC010, the first DEFCON group in China.

April C. Wright (@AprilWright) is a hacker, author, teacher, and community leader with over 25 years of breaking, making, fixing, and defending critical global connections. She has held roles on offensive, defensive, operational, and development teams. A security risk specialist for a Fortune 15 company, April has been a speaker and contributor at numerous security conferences, and for US Government and industry organizations such as OWASP and ISSA. She has started multiple small businesses including a non-profit, fulfills the role of Signaler for the DEFCON Groups Core Team, and co-founded Boston DC617.

Jayson E. Street is an author of the "Dissecting the hack: Series". Also the DEF CON Groups Global Ambassador. Plus the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon and at several other 'CONs and colleges on a variety of Information Security subjects.

*He was a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time's persons of the year for 2006.

General ways to find and exploit Path Traversal Vulnerabilities on Android APPs

Xiaobo Xiang (Elphet)

Directory traversal vulnerabilities are very common in Android applications. This is also a place that developers ignore easily. Directory traversal vulnerabilities are also very harmful because it can break the application sandbox mechanism of Android.

In this paper, we will introduce the research of directory traversal vulnerabilities on the Android platform. from the aspects of what it is, how to find them, what they will cause and how to exploit them. We will explain these contents in a practical way.

Xiaobo Xiang (Elphet) is a security researcher of 360 Alpha Team. He has submitted multiple bugs to Google and several other vendors in China. He is a Doctor Candidate in University of Chinese Academy of Sciences (UCAS), who mainly focuses on Android vulnerability reseach. In his spare time, he is keen on participating CTF games as a pwner in the CTF team NeSE (aka Never Stop Exploiting), which is a well-known separate CTF team in China.

Blasted to Bits: Mutilating Media in a Minute


Governments and large organizations all know the importance of destroying retired physical data storage units: the waste stream has the potential to be a major leak of security-relevant information, to competitors, criminal syndicates and the public. Hackers have long appreciated the insights to be gleaned through trashing! But the volumes of data stored today make this process difficult to accomplish instantaneously, and data in the wrong hands is money -- or your freedom. If you manage data that might be at risk of physical attack by untouchable agents, could there be a way to ensure its physical destruction in under 60 seconds at the flip of a switch? In this research I investigate multiple paths to forensic-resistant elimination of physical media via thermal, kinetic and high voltage methods. Both magnetic and flash storage devices are investigated, requiring the development of new techniques for high explosives manufacture, delivery and encapsulation, including the use of 3D printing. Surprising results will be presented.

Zoz is a robotics engineer, rapid prototyping specialist and lifelong enthusiast of the pyrotechnic arts. Once he learned you could use a flamethrower and a coffee creamer bomb to fake a crop circle for TV he realized there are really no limits to creative destruction.