A selection of interesting reports from the conference 35C3
At the end of December 2018, the 35th Chaos Communication Congress was held in Leipzig . This year, the congress pleased us with a large number of excellent technical reports. I present to your attention a selection of the most interesting of them (in chronological order).
Hanno Böck talked great about the history of SSL and TLS up to the new TLS 1.3, about the attacks on the implementation of this family of protocols and how they were dealt with. Of particular interest to me were the difficulties of translating the entire Internet into new versions of the protocols.
Thomas Roth, Josh Datko and Dmitry Nedospasov cooperated and did an excellent study of the security of the hardware cryptoshomes. They affected the security of the supply chain, firmware, hardware devices, which is especially interesting. Namely, the researchers caught a special antenna signal from the display to the CPU, which goes along the long path on the device board. They also successfully executed a glitching attack and even made a special device with a carriage into which a chip could be inserted from the wallet, and this device will automatically pull out the seed wallet using glitching. Cool, I liked it.
The topic of hardware security was continued by Trammell Hudson with a report on the implant for Supermicro. He tried to impartially examine the whole story, but his speech was inconsistent. Trammell cited many facts, trying to show the possibility of creating a hardware bookmark, described in the scandalous article Bloomberg . He even showed a demo in which he runs the BMC firmware under qemu and executes arbitrary commands from root in it using the image substitution from the qemu side. However, according to some experts, the arguments of the speaker are very controversial.
Researchers from the University of the Ruhr told about the device microcode AMD processors. The report has a lot of technical details that will be useful to those who need to deeply understand the topic. This is a continuation of last year's performance . What I liked, the researchers made their own microcode for the hardware Address Sanitizer, which works without instrumentation of memory access in the executable file. Unfortunately, this approach was tested only on a toy operating system, so it is impossible to say for sure how much faster KASAN is in the Linux kernel.
Saar Amar made an excellent presentation in which he showed a bypass of protection against the exploitation of vulnerabilities in user space on Windows 7 and 10. Live demos, just fire. It will be interesting to those who specialize in the security of other operating systems, because these techniques are alike everywhere.
Claudio Agosti spoke about a browser plugin that tracks the features of Facebook content delivery for different types of users. This technology was tested during the elections in Italy and received very interesting statistics. The goal of the project is not in the reverse of Facebook algorithms, but in a deeper understanding of how a particular public event on a social network is covered.
An entertaining overview report about Specter and Meltdown vulnerability family. The topic is already widely covered, but here’s an interesting point: the researchers recently published a large set of new vulnerabilities of this type and built a whole classification. But for some reason, this information is not under the embargo. Even the Q & A section did not clarify why the developers of the operating systems are not currently working on the means of protection against the exploitation of these new vulnerabilities. Maybe because there are no PoC exploits?
Very cool and complex report from Joscha Bach about the human mind and artificial intelligence - their difference and similarity. A mixture of philosophy, mathematics, neurophysics and specific humor. Watch for the night.
An 18-year-old boy from Israel told how he found RCE in the MS Edge browser's ChakraCore engine. A cool example of using type confusion - a floating point number is turned into a pointer and dereference.
An excellent report about vulnerabilities in self-encryption SSD (which BitLocker certainly trusts, by the way). The speaker dismantled the threat model (which pleases), broke the SSD encryption of several manufacturers (all with demos) and as a result, concluded that this self-encryption is worse in all cases than software from the OS. Recommend.
Super report on hacking the PlayStation Viva (up to reading from the most secret ROM of the platform’s most important secret key). I received great pleasure: excellent research and excellent presentation of the material.
Report on the blocking Telegram in Russia. I was tensely waiting for some political propaganda, and the report turned out to be technical and rather interesting. The speaker analyzed the main steps of the RKN, showed statistics, explained their mistakes and slightly troll.
Cool report on software and hardware stuffing rover Curiosity. Beautiful slides, a good manner of the speaker - it was interesting and pleasant to listen. Inspiring, recommended.
A wonderful report about hacking firmware in Broadcom Bluetooth chips. It turns out all cover. Neither update nor repair fails for a variety of reasons. Almost all smartphones released over the past 5 years, as well as cars and IoT, are vulnerable. In short, everyone urgently disable BT.
I highly recommend viewing the entire list of congress videos , you will surely find something else interesting for you.