BLACK HAT USA 2022 (25th Year Anniversary)

Date: Saturday, August 6th (12:00 PM EST) — Thursday, August 11th (6:30 PM EST)


Location: Mandalay Bay Convention Center (3950 Las Vegas Blvd. South Las Vegas, Nevada 89119)

Black Hat USA Andorid App:

Platform(s): Black Hat USA CISO Summit as well as the Main Conference including Briefings, Arsenal, the Business Hall, and more, will take place on the Swapcard Virtual Event Platform. Black Hat USA Trainings will be taught online on the GoToTraining virtual classroom platform..


Live Streams:

Youtube (KEYNOTES):



Chat: TBA

Accessibility: Only registered attendees will be able to view the Briefings (Talks) and Workshops attendance not only have a price tag but are filled in by a case-to-case basis. Virtual Business Pass is free and gets you access to the rest of the convention including the Business Hall, Arsenal, Contests, Sponsored Talks and more. See deals for In-Person Vegas later in this guide.


Code Of Conduct:

From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to the most respected information security event series internationally. For more than 20 years, Black Hat Briefings have provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry.

Now in its 25th year, Black Hat USA is the world’s leading information security event, providing attendees with the very latest security research, development and trends.

Due to the rise of the Monkeypox and the rise COVID-19, the Black Hat hybrid event experience in 2022 offers the cybersecurity community a choice in how they wish to participate. They will host both an in-person experience in Las Vegas and a virtual experience online. When you purchase a Briefings Pass, you can select whether to attend in-person or online.

If you choose the Virtual Only Briefings Pass, you will have access to all the online and recorded Briefings Sessions, Sponsored Sessions, Arsenal Demos and the Business Hall. You will also have access to the recorded sessions for 30 days after the event.

If you choose the In-Person Briefings Pass you will have access to BOTH the in-person Briefings, Sponsored Sessions, Arsenal Demos and the Business Hall activities in Las Vegas, AND access to all the online sessions, including online access to the recordings for 30 days after the event.

This is the BIG corporate convention of the Information Security world. Very suit and tie, bring your resume, talking about numbers and projections type of convention. Get use to hearing the words “cyber”, “mitigation”, “”deployment” “corporate”, “blockchain” and “pipeline” being thrown around like candy on Halloween without eye roll. Attendees will also introduce them selves with their job title and workplace as if they are their last names.

This year, because of virtualization due to the Monkeypox & COVID-19 Pandemic, we are happy that the versatility of last year has returned. From the Business Pass being completely free, reduced (but still expensive for Blue Collar prices) and various way to interact these inclusive elements has put the convention back on our radar. If you want to network and rub shoulders with the InfoSec big leagues (or to land a job), this is the convention that will be on your priority list!



Briefings Dates: Wednesday, August 10 — Thursday, August 11
There are 2 different Briefings Pass options for 2022.

OPTION 1 — IN-PERSON EVENT at Mandalay Bay Convention Center, Las Vegas, NV

  • Early Discount limited to the first 2,000 paid registrations
  • Includes access to all in-person Briefings, Arsenal Demos, Business Hall Activities & Sessions and more
  • Also includes ALL VIRTUAL EVENT benefits listed in Option 2 below

OPTION 2 — VIRTUAL EVENT available online

  • Includes access to all virtual (online) Briefings, Business Hall Activities & Sessions and more
  • Online access to all recorded Briefings, Arsenal demos, Sponsored Sessions & more, during the event and for 30 days afterward.


  • Saturday, August 6th: 9:00 AM –4:00 PM
  • Sunday, August 7th: 8:30 AM — 4:00 PM
  • Monday, August 8th: 8:00 AM — 5:00 PM
  • Tuesday, August 9th: 8:00 AM — 6:00 PM
  • Wednesday, August 10th: 8:00 AM — 5:00 PM
  • Thursday, August 11th: 8:00 AM — 4:00 PM


Training Dates: Saturday, August 6 — Tuesday, August 9

Please check individual Training description pages for Training prices and dates.

All Pricing is in US Dollars (USD) and includes full access to the Black Hat Business Hall on August 10–11. Pricing does not include applicable local taxes.


Business Hall Dates: Wednesday, August 10 — Thursday, August 11
There are 2 different Business Pass options for 2022.

OPTION 1 — IN-PERSON EVENT at Mandalay Bay Convention Center, Las Vegas, NV

  • Includes access to all Business Hall Activities, Arsenal Demos, Sponsored Sessions and more

OPTION 2 — VIRTUAL EVENT available online

  • Includes online access to the Virtual Business Hall, Arsenal Demos, Sponsored Sessions, Sponsored Workshops, and more.


Academic Pass registration is open to any member of the academia who can prove they are either a full-time student or full-time professors at an accredited university. An academic pass gives students and professors access to the Black Hat Briefings during the 2022 series of events.

We welcome those members of the academic community who can provide a valid, accredited university ID and meet any one of the additional criteria below, to apply for the academic rate to attend Black Hat Briefings.


  • Verifiable full-time academic status at an accredited college or university. Full-time students are 9 hours graduate or 12 hours undergraduate.
  • Valid University ID


  • University webpage showing the registrant is a full-time (not adjunct) professor.
  • Letter from the registrant’s department head on university letterhead stating full-time status.


  • Standard Terms & Conditions Apply.
  • Academic registration may be granted for the Briefings only.
  • There are no Academic rates available for Training.
  • Academic rate registration is not eligible to combine with any other discounts or promotions.
  • Online registration only.

Academic Registrations are ONLY accepted in advance of the event, the deadline to apply is Friday July 22, 2022 by 4:00 PM PT. After this date and time, no further requests will be considered, including on-site. All academic registration requests and required documentation must be received on or prior to July 22, 2022 by 4:00 PM PT.


This year thanks to the hybridization, there is some amazing discounted and FREE options available for those of us hackers who want to rub shoulders (6 feet apart of course) with the dapper folks without breaking our already sparse checking accounts.

In-Person Business Passes is $595 this year and the Online Business Pass is FREE. With a Business Pass, access the Keynote, the Business Hall and a number of Features, including Arsenal, Sponsored Sessions, Passport to Prizes, and more.

EFF Members can get a $200 discount on an In-Person Briefings Pass with promo code: BH22EFF.


Upon purchase of Black Hat Briefings and/or Trainings passes, each registrant will also have the option to purchase a single (1) advance ticket to DEF CON 2022, at a rate of $360 per ticket, one ticket purchase per person, up until the close of “Late” registration on August 4, 2022 at 11:59 PM PT.

DEF CON tickets will not be sold on-site at Black Hat USA. After August 4, 2022, DEF CON tickets are only available for purchase at DEF CON during their ticket sales window.

Please note, you must first register and pay for your Black Hat Training/Briefings registration in order to purchase a DEF CON ticket. The option to purchase a DEF CON ticket is not available to individuals who purchase a Black Hat Business Pass only.

DEF CON tickets are non-refundable, once purchased. When you check in to Black Hat, you will receive a DEF CON badge voucher, and after DEF CON staff provide badges to Black Hat, you may then redeem your voucher for a DEF CON badge, generally on the Thursday of the event.


Thursday, August 11, 2022
7:00 AM — 6:00 PM
Mandalay Bay Ballroom Foyer, Level 2

Step 1: Attendees will present their Black Hat badge with DEF CON symbol to staff.

Step 2: Your badge will be hole punched as proof of pick-up.

Step 3: Staff will hand you your badge.


This year’s event will be partially virtual. We have provided information and resources below to make your experience at Black Hat a successful one. Please contact Black Hat Registration with any questions or for more information.

When the platform goes live, you will receive an email with a link directing to a login page where you can create a password for accessing the virtual event.

Please note that your event login information will come in an email from
Sender: “Black Hat USA

You should add to your allowed email list to ensure receipt of your login details.


You can access the Swapcard platform directly at

There you can log in by entering the email you used to register for Black Hat USA and creating a password. If you’ve forgotten your password, click on “Send me a magic link” to receive an email to reset your password.


Your profile will be automatically created in Swapcard using the information you supplied when you registered for the event.

You have the option to connect with other attendees and sponsors, just as you would at a live event.

Once you’ve logged into the platform, click on the “Attendee” tab. On the left side of the page, look for the “Visibility” setting to turn your Profile visibility on or off. You may change this setting at any time.


Learn how to access sessions and content:


Learn how to network with other attendees:


Learn how to find virtual exhibit booths:


In addition to all of the chat and networking opportunities within GoToTrainings and Swapcard, you can stay up-to-date and join the conversations on social media by following and tweeting @BlackHatEvents, using the hashtags #BlackHat, BlackHatUSA, BlackHat2022, #BlackHat22, #BHUSA and #BHTrainings.


All Black Hat USA Trainings listed as Virtual will be taught live online via Zoom. Sessions will not be recorded. All courses are presented in Pacific Time (GMT/UTC -7h).

Please email if you have any additional questions.


Black Hat USA Main Conference including Briefings, Arsenal, the Business Hall, and more, will take place on the Swapcard Virtual Event Platform. When the platform goes live, you will receive an email with a link directing to a login page where you can create a password for accessing the virtual event.



Come by the official bookstore and browse the latest titles in security. Several Black Hat Speakers and Trainers will be signing copies of their authored books. Brought to you by BreakPoint.


The Source of Knowledge will be onsite to sell audio and video recordings of the Briefings sessions. Make sure to purchase the media on-site. For more information visit

  • Wednesday, August 10–9:00 AM — 6:00 PM
  • Thursday, August 11–8:30 AM — 6:00 PM
  • Islander Registration Desk (1st floor)
  • Breakers Registration Desk (2nd floor)
  • Jasmine Registration Desk (3rd floor)


Black Hat is excited to partner with leading childcare provider Kiddie Corp to offer Black Hat attendees access to an on-site children’s program. The Kiddie Corp program is for children ages 6 months through 12 years old and will be located within the Mandalay Bay Convention Center on the dates below:

  • Wednesday, August 10–8:00 AM — 6:00 PM
  • Thursday, August 11–8:30 AM — 6:30 PM

Advance registration is recommended. Availability is limited and handled on a first-come, first-served basis. Although every effort will be made to accommodate on-site registrations, there is no guarantee.

Click Here to Learn More and Register


Get your Black Hat-branded T-shirts, jackets, mugs, and more at the Black Hat Merchandise Store located on Level 2. Purchases can be made with any major credit or debit card. Brought to you by Moxie Promo.


NOTE FROM DCG 201 to Black Hat Staff: Please call it Parenting Room next time. Dad’s & Enby’s are parents too.

A private facility for nursing mothers will be available within the Child Care room on Briefings days, August 10 & 11.

  • Wednesday, August 10 / 8:00 AM — 6:00 PM / Reef C
  • Thursday, August 11 / 8:30 AM — 6:30 PM / Reef C


A private prayer room is available on Level 3 of the Mandalay Convention Center, in the Jasmine 2 Registration Office, Level 3. The room will remain unlocked throughout the event and no reservation or notice is required for its use.


August 10 | 5:30–6:30 PM | Lagoon KL, Level 2
Black Hat USA will once again host the Pwnie Awards, InfoSec’s premier award show celebrating the achievements and failures of the security community over the past year.

The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the security community.

To view the nominations:




The Black Hat CISO Summit is an approval-only event during Black Hat USA which brings together top security executives from global corporations and government agencies for a full day of unique discussions. Offered the day before the main Black Hat USA Briefings sessions, the CISO Summit is intended to give CISOs and other InfoSec executives leading-edge insight into the latest security trends, technologies, and enterprise best practices.



CISO Summit Welcome Reception


8:00–9:00 AM

Networking Breakfast

9:00–9:15 AM

Welcome and Introductions

  • Jeff Moss, Founder, Black Hat + DEF CON
  • Steve Wylie, General Manager, Black Hat
  • Jeremiah Grossman, MC

9:15–9:50 AM

Cyber War 2022

  • Kenneth Geers

9:50–10:10 AM

When Your Kinetic War Gets into My Cybernetic Defenses

  • Frank Artes

10:10–10:30 AM

Networking Break

10:30–11:00 AM

Building (Zero) Trust Starts with HardFirmware

  • Yuriy Bulygin

11:00–11:30 AM

Why Cybersecurity is a Key Pillar of ESG: What this means to you as a CISO

  • Joanna Burkey

11:30 AM — 12:00 PM

People Shortage? Skills Gap

  • Dave Kennedy

12:00–1:30 PM


1:35–2:10 PM

Cyber Insurance — The Current State and ways to Influence the Future

  • Kirsten Bay

2:10–2:45 PM

Unifying Asset, Attack Surface, and Vulnerability Management

  • Daniel Miessler

2:45–3:15 PM

Networking Break

3:15–3:50 PM

The Future of Decentralized Security, from Bug Bounties to Virtual Citizen Armies

  • Alex Romero

3:50–4:25 PM

The Great (Cyber) Resignation — Defense in Depth for Keeping/Building Your Teams

  • Jason Haddix

4:25–4:55 PM

Advisory Panel Lock Note

  • Wendy Nather
  • Saša Zdjelar
  • Justine Bone
  • Trey Ford


Closing Remarks


Cocktail Reception

Black Hat — Omdia Analyst Summit



This event will be in-person only and admission is by approval only — and is not guaranteed.

Digital is dominant. As organizations continue their drive towards “digital-first” and become more digitally dependent, so the threat landscape burgeons, taking advantage of these digital dependencies.

As such, organizations require cybersecurity capabilities that are proactive and responsive, with a relentless focus on resilience and development. Security is a function that must support the enterprise in its ambitions for its customers and citizens.

Join this Omdia Analyst Summit at Black Hat USA to hear how security functions are rising to this challenge, as a partner to the business and elevating the role of cybersecurity in modern organizations.

9:15–9:30 AM

Welcome and Introductions

  • Bill Morelli, Chief Research Officer

9:30–10:00 AM


Proactive Security to Manage Digital Dominance

  • Maxine Holt, Senior Director, Research

10:00–10:40 AM

Security, Digital Dominance, and the Real World

  • Maxine Holt, Senior Director, Research
  • Fernando Montenegro, Senior Principal Analyst
  • Eric Parizo, Managing Principal Analyst
  • Andrew Braunberg, Principal Analyst
  • Rik Turner, Senior Principal Analyst

10:40–11:00 AM


11:00–11:40 AM

Zero Trust, for Real, Now?

  • Rik Turner, Senior Principal Analyst
  • Don Tait, Senior Analyst

11:40 AM — 12:20 PM

The Evolution of Ransomware

  • Fernando Montenegro, Senior Principal Analyst
  • Andrew Braunberg, Principal Analyst

12:20–1:20 PM

Lunch Break

1:20–2:05 PM

Breakout 1

XDR: The Supernova of SecOps

  • Eric Parizo, Managing Principal Analyst
  • Elvia Finalle, Senior Analyst
  • Fireside Chat with Ryan Alba, Sr. Manager of Global Solutions Lead at Secureworks

Breakout 2

Standards Shaping and Driving Demand for IoT Security

  • Hollie Hennessy, Senior Analyst
  • Fireside Chat with Nadir Izrael, CTO from Armis

Breakout 3

Essential Guidance for Choosing an IT Security Services Provider

  • Maxine Holt, Senior Director, Research
  • Adam Etherington, Senior Principal Analyst
  • Fireside Chat
    with Theresa Lanowitz, Head of Cybersecurity Evangelism

2:10–2:55 PM

Breakout 1

The Multi-faceted Challenge of ‘Securing Cloud’

  • Fernando Montenegro, Senior Principal Analyst
  • Ketaki Borade, Senior Analyst

Breakout 2

Will Passwordless Authentication Become Mainstream in 2022?

  • Don Tait, Senior Analyst
  • Rik Turner, Senior Principal Analyst

Breakout 3

Cybersecurity Awareness & Education: Building the ‘Human Firewall’

  • Curt Franklin, Senior Analyst
  • Maxine Holt, Senior Director, Research

2:55–3:10 PM


3:10–3:55 PM

Legends panel:

Return of the Analysts

  • Eric Parizo, Managing Principal Analyst
  • Tanner Johnson
  • Perry Carpenter
  • Diana Kelley

3:55–4:00 PM

Wrap-up & close

  • Maxine Holt, Senior Director, Research

4:00–5:00 PM

Drinks & Chat to the Analysts


The Black Hat Network Operations Center (NOC) provides a high security, high availability network in one of the most demanding environments in the world — the Black Hat event. This is accomplished with the help of best of breed solutions providers and seasoned security and engineering teams led by Black Hat’s esteemed NOC Team Leads.

Together this team provides the security, stability, and visibility of a world-class enterprise network. Each year this hand-selected team meets months before Black Hat to incorporate the latest infrastructure and security solutions into a workable network design. The team reconvenes just days before Black Hat for a compressed deployment of a network that must be operational for the opening day of the event.

Black Hat attendees can visit the NOC for a glimpse into this state-of-the-art network. The Black Hat NOC program is a testament to engineering know-how and teamwork.


The NOC will be streamed live via our Twitch channel:

NOTE: DCG 201 Will Attempt To Host LIVE Rebroadcasts of Each Black Hat NOC Twitch Stream

Live Stream Hours:

  • Tuesday, August 9: 10:00 AM — 4:00 PM
  • Wednesday, August 10: 10:00 AM — 4:00 PM
  • Thursday, August 11: 10:00 AM — 4:00 PM

NOC presentations (Mandalay Bay — Level 2 — Breakers B):

  • Wednesday, August 10: 11:00 AM — 11:20 AM ~ TBD
  • Wednesday, August 10: 2:10 PM — 2:30 PM ~ NOC Leads
  • Thursday, August 11: 11:00 AM — 11:20 AM ~ TBD
  • Thursday, August 11: 2:10 PM — 2:30 PM ~ NOC Leads

NOC Visiting Hours (Mandalay Bay — Level 2 — Surf E/F)

  • Saturday, August 6: 10:00 AM — 4:00 PM
  • Sunday, August 7: 10:00 AM — 4:00 PM
  • Monday, August 8: 10:00 AM — 4:00 PM
  • Tuesday, August 9: 10:00 AM — 4:00 PM
  • Wednesday, August 10: 10:00 AM — 4:00 PM
  • Thursday, August 11: 10:00 AM — 4:00 PM



  • Date: Tuesday, August 9
  • Time: 4:00–6:00 PM
  • Location: Islander EI


Before diving into two jam-packed days of hacks and research, hear insider’s recommendations on how to make the most of your time, including a synopsis of this years can’t-miss Briefings, Arsenal Tools, and special Features from Black Hat Review Board Members, Speakers and Presenters.

Open to all pass types, Day Zero is designed to welcome both first-time and long-time Black Hat attendees. Join us on Tuesday, August 9 to kick off your Black Hat experience and begin building your schedule and network with an inside look at what’s in store and the tools available to help you make the most out of your time.

All Black Hat pass types are welcome. No pre-registration is required.

4:00 PM — 4:20 PM

How to have Two Productive Days (and Best Party-Nights!) at Black Hat

by Sheila A. Berta, Head of Security Research, Dreamlab Technologies

4:20 PM — 4:45 PM

Must-See Briefings at Black Hat USA 2022

by Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

4:45 PM — 5:00 PMBreak5:00 PM — 5:20 PM

How to Get the Best Out of Conferences and Events

by Daniel Cuthbert, Global Head of Cyber Security Research, Banco Santander

5:20 PM — 5:40 PM

Just because it Happened in Vegas, Doesn’t Mean it has to Stay in Vegas: How Giving Back can be the Best Reward!

by Casey Bourbonnais, Chief Operating Officer, Secure Yeti

5:40 PM — 6:00 PM

From Seat to Stage: Creating a Successful Black Hat Talk Proposal

by Sherri Davidoff



  • Date: Tuesday, August 9
  • Time: 4:00–6:00 PM
  • Location: Islander EI


Before diving into two jam-packed days of hacks and research, hear insider’s recommendations on how to make the most of your time, including a synopsis of this years can’t-miss Briefings, Arsenal Tools, and special Features from Black Hat Review Board Members, Speakers and Presenters.

Open to all pass types, Day Zero is designed to welcome both first-time and long-time Black Hat attendees. Join us on Tuesday, August 9 to kick off your Black Hat experience and begin building your schedule and network with an inside look at what’s in store and the tools available to help you make the most out of your time.

All Black Hat pass types are welcome. No pre-registration is required.

4:00 PM — 4:20 PM

How to have Two Productive Days (and Best Party-Nights!) at Black Hat

by Sheila A. Berta, Head of Security Research, Dreamlab Technologies

4:20 PM — 4:45 PM

Must-See Briefings at Black Hat USA 2022

by Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

4:45 PM — 5:00 PM


5:00 PM — 5:20 PM

How to Get the Best Out of Conferences and Events

by Daniel Cuthbert, Global Head of Cyber Security Research, Banco Santander

5:20 PM — 5:40 PM

Just because it Happened in Vegas, Doesn’t Mean it has to Stay in Vegas: How Giving Back can be the Best Reward!

by Casey Bourbonnais, Chief Operating Officer, Secure Yeti

5:40 PM — 6:00 PM

From Seat to Stage: Creating a Successful Black Hat Talk Proposal

by Sherri Davidoff, CEO, LMG Security + Nathan Hamiel, Senior Director of Research, Kudelski Security


Arsenal brings independent researchers to showcase their open-source tools with the Black Hat community. Tools cover a variety of tracks, from mobile hacking to network defense. Learn about the latest resources and developments for tool creators and developers.

Arsenal will be presented over two days:
August 10–11, 2022


Exploiting & Securing Trains

Amine Amri
Daniel dos Santos

Dates: Wednesday, August 10 | 10:00am-11:30am ( Business Hall — Arsenal Lab )
Thursday, August 11 | 2:30pm-4:00pm ( Business Hall — Arsenal Lab )

Track: Arsenal Lab

Session Type: Arsenal

We will demonstrate an attacker’s journey to disrupt a train — using only TCP/IP stack vulnerabilities, which are known to affect large numbers of devices at a time.

Attendees will interact with a tool to identify the TCP/IP stack running on a target device (using techniques such as banner grabbing, ICMP querying and TCP fingerprinting), a static analysis tool to find DNS-based vulnerabilities on TCP/IP stacks, and finally an exploit scenario involving a DNS-based RCE on a development board, an FTP-based DoS on a PLC and a TCP-based DoS on the switch connecting them.

The physical effects are shown on the train itself by stopping and starting at the attacker’s will. We will also discuss how a similar exploit scenario can lead to other types of physical effects in critical infrastructure.

Faceless — Deepfake detection

Manh Pham

Date: Wednesday, August 10 | 10:00am-4:00pm ( Virtual Only )

Track: Human Factors

Session Type: Arsenal

Faceless is a deepfake detection system.

The proposed deepfake detection model is based on the EfficientNet structure with some customizations. It is hoped that an approachable solution could remind Internet users to stay secure against fake contents and counter the emergence of deepfakes.

The deepfake dataset were used in the final model is Celeb-DF

GoTestWAF — well-known open-source WAF tester now supports API security hacking

Ivan Novikov

Date: Wednesday, August 10 | 10:00am-11:30am ( Business Hall — Arsenal Station 4 )

Tracks: Web AppSec, Exploitation and Ethical Hacking

Session Type: Arsenal

GoTestWAF is a well-known open-source WAF testing tool which supports a wide range of attacks, bypassing techniques, data encoding formats, and protocols, including legacy web, REST, WebSocket, gRPC, and more.

With this major update, the tool now supports Swagger/OpenAPI-based scanning and becomes the first open-source testing tool available for API security solutions.

Hooke: A Sandbox Tool for both Android and iOS Apps

Miao Liu
Xiangxing Qian
Bo Zhang
Fan Yao
Zhenyu Zhu
Yijie Zhao
Yi Zeng

Date: Wednesday, August 10 | 10:00am-12:00am ( Virtual Only )

Track: Android, iOS and Mobile Hacking

Session Type: Arsenal

Mainstream mobile phone systems have implemented privacy features that allow users to keep an eye on how apps access their data, such as Privacy Dashboard for Android and App Privacy Report for iOS. However, while we delved into the implementation of these systems, we found that it was not as accurate and credible as expected. We developed our offline App privacy leak detection platform — Hooke, to identify privacy-sensitive behaviors much more clearly and directly.

For data access, we identified over 300 privacy-related APIs across 8 categories for both Android and iOS, and we constructed sandbox environments and added instrumentation to collect runtime information like parameters, stack traces and app status. For network behavior, we found a general solution to bypass ssl pinning, and tried to decrypt network traffic to prevent sensitive data escape. To facilitate locating privacy issues, our sandbox also recorded App runtime screens and timestamps during the test phase, which are associated directly with dynamic behaviors.

Our tool, Hooke, shows App behaviors in the aspect of privacy data access, network traffic and screen recordings, and we also implemented an intelligent rule engine to analyze this data. Finally, these three categories data are associated and presented in the form of a timeline, aiming to directly and easily locate an App’s behavior throughout the app’s lifecycle by dragging the timeline. With the help of Hooke, we found dozens of privacy leak issues hidden in malicious Apps and third-party SDKs.

MUSHIKAGO-femto: Automated Pentest & First Aid Tool for IT/OT Environments

Yuta Ikegami
Masato Hamamura

Date: Wednesday, August 10 | 10:00am-4:00pm ( Virtual Only )

Tracks: Exploitation and Ethical Hacking, Smart Grid/Industrial Security

Session Type: Arsenal

At the Black Hat USA 2021 Arsenal, we presented MUSHIKAGO, an automated penetration testing tool for both IT and OT. MUSHIKAGO can automatically perform penetration tests and post-exploitation in various environments without prior learning.

This time, we have newly evolved MUSHIKAGO as MUSHIKAGO-femto, incorporating cutting-edge features. The evolution includes the implementation of a mechanism to perform first aid on the tested system and acquire immune functions so that the same attack can be defended against attacks that could be achieved by penetration tests. A function was implemented to defend against vulnerability attacks by applying patches, injecting FW functions or proprietary IPS into terminals. Specifically, taking advantage of the fact that the penetration test was able to penetrate the system, patches are applied as if injecting a vaccine at the penetrated terminal, or a unique thin IPS is incorporated. This allows the system to be defended before the actual attacker can exploit the vulnerability or misconfiguration. Based on these results, MUSHIKAGO-femto has become the Next-Generation Pentest Tool that strengthens system defenses while performing penetration testing.

Other additional features include the implementation of a scan function to detect ICS protocols in order to detect ICS devices with high accuracy. MUSHIKAGO-femto has both Active Scan and Passive Scan functions, enabling comprehensive detection of PLCs and ICS devices. This enables automatic penetration of OT system. This makes it possible to perform automatic penetration tests on OT system with high accuracy. In the demo, we will show how it can perform automatic penetration testing and automatic protection against Hack THe Box and VulnHub machines. We will also show that it is possible to perform effective penetration testing in our OT/ICS environment.

ReconPal: Leveraging NLP for Infosec

Jeswin Mathai
Shantanu Kale
Sherin Stephen

Date: Wednesday, August 10 | 10:00am-12:00am ( Virtual Only )

Track: OSINT — Open Source Intelligence

Session Type: Arsenal

Recon is one of the most important phases that seem easy but takes a lot of effort and skill to do right. One needs to know about the right tools, correct queries/syntax, run those queries, correlate the information, and sanitize the output. All of this might be easy for a seasoned infosec/recon professional to do but for rest, it is still near to magic. How cool it will be to ask a simple question like “Find me an open Memcached server in Singapore with UDP support?” or “How many IP cameras in Singapore are using default credentials?” in WhatsApp chat or a web portal and get the answer?

The integration of GPT-3, deep learning-based language models to produce human-like text, with well-known recon tools like Shodan is the foundation of ReconPal. In this talk, we will be introducing ReconPal with report generation capabilities and interactive terminal sessions. We are also introducing a miniature attack module, allowing users to execute popular exploits against the server with just the voice commands. The code will be open-source and made available after the talk.


Quentin Kaiser

Date: Wednesday, August 10 | 10:00am-11:30am ( Business Hall — Arsenal Station 8 )

Tracks: Reverse Engineering, Internet of Things

Session Type: Arsenal

One of the major challenges of embedded security analysis is the sound and safe extraction of arbitrary firmware.

Specialized tools that can extract information from those firmwares already exists, but we wanted something smarter that could identify both start offset of a specific chunk (e.g. filesystem, compression stream, archive) and end offset.

We stick to the format standard as much as possible when deriving these offsets, and we clearly define what we want out of identified chunks (e.g., not extracting meta-data to disk, padding removal).

This strategy helps us feed known valid data to extractors and precisely identify unidentified chunks, turning unknown unknowns into known unknowns.

Given the modular design of unblob and the ever expanding repository of supported formats, unblob could be used in areas outside of embedded security such as data recovery, memory forensics, or malware analysis.

unblob has been developed with the following objectives in mind:

* Accuracy — chunk start offsets are identified using battle tested rules, while end offsets are computed according to the format’s standard without deviating from it. We minimize false positives as much as possible by validating header structures and discarding overflowing chunks.
* Security — unblob does not require elevated privileges to run. It’s heavily tested and has been fuzz tested against a large corpus of files and firmware images. We rely on up-to-date third party dependencies that are locked to limit potential supply chain issues. We use safe extractors that we audited and fixed where required (e.g., path traversal in ubi_reader, path traversal in jefferson, integer overflow in Yara).
* Extensibility — unblob exposes an API that can be used to write custom format handlers and extractors in no time.
* Speed — we want unblob to be blazing fast, that’s why we use multi-processing by default, make sure to write efficient code, use memory-mapped files, and use Hyperscan as high-performance matching library. Computation intensive functions are written in Rust and called from Python using specific bindings.

AzureGoat : A Damn Vulnerable Azure Infrastructure

Nishant Sharma
Jeswin Mathai
Rachna Umaraniya

Date: Wednesday, August 10 | 11:30am-1:00pm ( Business Hall — Arsenal Station 2 )

Track: Exploitation and Ethical Hacking

Session Type: Arsenal

Microsoft Azure cloud has become the second-largest vendor by market share in the cloud infrastructure providers (as per multiple reports), just behind AWS. There are numerous tools and vulnerable applications available for AWS for the security professional to perform attack/defense practices, but it is not the case with Azure. There are far fewer options available to the community. AzureGoat is our attempt to shorten this gap.

In this talk, we will be introducing AzureGoat, a vulnerable by design infrastructure on the Azure cloud environment. AzureGoat will allow a user to do the following:

- Explore a vulnerable infrastructure hosted on an Azure account
- Exploring different ways to get a foothold into the environment, e.g., vulnerable web app, exposed endpoint, attached MSI
- Learn and practice different attacks by leveraging misconfigured Azure components like Virtual Machines, Storage Accounts, App Services, Databases, etc.
- Abusing Azure AD roles and permissions
- Auditing and fixing misconfiguration in IaC
- Redeploying the fixed/patched infrastructure

The user will be able to deploy AzureGoat on their Azure account using a pre-created Docker image and scripts. Once deployed, the AzureGoat can be used for target practice and be conveniently deleted later.

All the code and deployment scripts will be made open-source after the talk.

Ox4Shell — Deobfuscate Log4Shell payloads with ease

Daniel Abeles
Ron Vider

Date: Wednesday, August 10 | 11:30am-1:00pm ( Business Hall — Arsenal Station 5 )

Tracks: Data Forensics/Incident Response, Reverse Engineering

Session Type: Arsenal

Since the release of the Log4Shell vulnerability (CVE-2021–44228), many tools were created to obfuscate Log4Shell payloads, making the lives of security engineers a nightmare.

Threat actors tend to apply obfuscation techniques to their payloads for several reasons. Most security protection tools, such as web application firewalls (WAFs), rely on rules to match malicious patterns. By using obfuscated payloads, threat actors are able to circumvent the rules logic and bypass security measures. Moreover, obfuscated payloads increase analysis complexity and, depending upon the degree of obfuscation, can also prevent them from being reverse-engineered.

Decoding and analyzing obfuscated payloads is time-consuming and often results in inaccurate data. However, doing so is crucial for understanding attackers’ intentions.

We believe that security teams around the world can benefit from using Ox4Shell to dramatically reduce their analysis time. To help the security community, we have decided to release Ox4Shell — a payload deobfuscation tool that would make your life much easier.

Vehicle Control System

Shishir Gupta
Chris Sistrunk

Dates: Wednesday, August 10 | 12:15pm-1:45pm ( Business Hall — Arsenal Lab )
Thursday, August 11 | 12:15pm-1:45pm ( Business Hall — Arsenal Lab )

Track: Arsenal Lab

Session Type: Arsenal

Real Time Operating Systems (RTOS) form the backbone for embedded systems and control units used in vehicle control technology (such as automobiles, trucks, buses, locomotives, UAVs, etc).

In this session, we will get hands on red teaming a popular RTOS that’s at the heart of vehicle control systems worldwide. To counter this activity, we will then provide a demo of memory extraction and data analysis following Mandiant’s Digital Forensics and Incident Response Framework for Embedded OT Systems.

Protecting your Crypto Asset against Malicious JS Phishing

Jordan Garzon
Asaf Nadler

Date: Wednesday, August 10 | 1:00pm-2:30pm ( Business Hall — Arsenal Station 4 )

Tracks: Network Defense, Malware Defense

Session Type: Arsenal

Cryptocurrencies and NFT are taking over with predictions of 90% of the population holding at least one of them by the end of the decade. Users that want to facilitate these new assets, trade them and sell them typically do that using wallets, and in particular hot wallets that are easy-to-use. The most popular hot wallets today (e.g., MetaMask) are browser based and are thus vulnerable to phishing and scams made possible through malicious JavaScript, such as a recent campaign carried out by the Lazarus group which resulted in more than 400M$ worth of stolen cryptocurrencies.

We release our internal tool used by the Security Operation and the research at Akamai to scan the JS from any website.
It includes a Python recursive crawler that extracts every JS from any domain (written within the HTML or imported), analyzes it with a model and heuristics — that we provide -, and brings metadata ( from VT, publicwww…) It finally gives a score to every piece of code running on any URL of a specified domain.
The code works also as a Web App and exposes a REST API as well.

We will finish by presenting some real detection we caught with this tool and explaining them.

The Mathematical Mesh

Phillip Hallam-Baker

Date: Wednesday, August 10 | 1:00pm-2:30pm ( Business Hall — Arsenal Station 7 )

Tracks: Cryptography, Internet of Things

Session Type: Arsenal

The Mathematical Mesh is a Threshold Key Infrastructure that allows cryptographic applications to provide effortless security. Threshold key generation and threshold key agreement are used to provide end-to-end security of data in transmission and data at rest without requiring any additional user interactions.

Once a device is connected to a user’s personal Mesh through a simple, one-time configuration step, all private key and credential management functions are automated. Devices may be provisioned with private keys required to support applications such as OpenPGP, S/MIME and SSH according to intended use of that device.

Detecting Linux Kernel Rootkits with Tracee

Yaniv Agman
Ziv Karliner
Asaf Eitani
Alon Zivony

Date: Wednesday, August 10 | 2:30pm-4:00pm ( Business Hall — Arsenal Station 8 )

Track: Malware Defense

Session Type: Arsenal

Linux Kernel Rootkits is an advanced and fascinating topic in cyber security. These tools are stealthy and evasive by design and often target the lower levels of the OS, unfortunately there aren’t many solid security tools that can provide an extensive visibility to detect these kinds of tools.
Tracee is a Runtime Security and forensics tool for Linux, utilizing eBPF technology to trace systems and applications at runtime, analyze collected events to detect suspicious behavioral patterns, and capture forensics artifacts.

Tracee was presented in BH EU 2020 and BH USA 2021. Thus far we have presented Tracee-ebpf and spoke about its passive capabilities to collect OS events based on given filters, and Tracee-rules, which is the runtime security detection engine. But Tracee has another capability to safely interact with the Linux kernel, which grants Tracee even more superpowers.

Tracee was designed to provide observability on events in running containers. It was released in 2019 as an OSS project, allowing practitioners and researchers to benefit from its capabilities. Now, Tracee has greatly evolved, adding more robust and advanced capabilities. Tracee is a runtime security and forensics tool for Linux, built to address common Linux security issues.

For references see:

Hands-on RF Hacking 101: From Waveforms to System Takeover

Paul Clark

Dates: Wednesday, August 10 | 2:30pm-4:00pm ( Business Hall — Arsenal Lab )
Thursday, August 11 | 10:00am-11:30am ( Business Hall — Arsenal Lab )

Track: Arsenal Lab

Session Type: Arsenal

This is RF hacking from end to end! You’ll work through all the stages of reversing a basic radio system and building your own transmitter to take control. On the receive side, this includes finding the signal, capturing it and breaking it down into bits. You’ll then build a transmitter to take over the original target, as well as iteratively attacking an additional target with the same protocol but different address. We’ll keep things pretty low-level in this project, so you’ll get a great view of how the nuts-and-bolts of RF hacking really work.

Objective-See’s Mac Security Tools

Patrick Wardle

Date: Wednesday, August 10 | 2:30pm-4:00pm ( Business Hall — Arsenal Station 4 )

Tracks: Malware Defense, Network Defense

Session Type: Arsenal

Objective-See’s security tools are free, open-source, and provide a myriad of ways to protect macOS systems from hackers, malware, or even commercial applications that behave poorly!

In this demo, will cover our most popular tools including, LuLu, OverSight, BlockBlock and more.

We’ll also highlight various command-line tools (that leverage Apple’s new Endpoint Security Framework) designed to facilitate both malware analysis and macOS spelunking.

The Metasploit Framework

Spencer McIntyre

Date: Wednesday, August 10 | 2:30pm-4:00pm ( Business Hall — Arsenal Station 6 )

Tracks: Exploitation and Ethical Hacking, Network Attacks

Session Type: Arsenal

Modern attack emulation is a multi-step process involving different tools and techniques as testers execute custom workflows to achieve their objectives. One primary advantage of the Metasploit Framework is a unified approach to solving this problem.

This arsenal demonstration will cover some of the latest improvements to the Metasploit Framework and showcase how these improvements maximize effectiveness while performing common tasks. Viewers will see the latest workflows for capturing credentials, UI optimizations for running modules, and demonstrations of Metasploit’s new payload-less session types. Capturing credentials is an integral part of many penetration testing methodologies and, when combined with the Metasploit database, can be a powerful technique for users engaged in breaching simulations. The latest features streamline configuring all the services Metasploit has capture modules for and managing them as a single unit. Users will also learn about some of the latest improvements related to pivoting in Metasploit, which allow capturing services to be started on compromised hosts when combined.

Wiretapping Tool to Sniff Packets Directly from LAN Cables

Michihiro Imaoka

Date: Wednesday, August 10 | 2:30pm-4:00pm ( Business Hall — Arsenal Station 7 )

Tracks: Hardware / Embedded, Network Attacks

Session Type: Arsenal

Wiretapping tool to sniff packets directly from LAN cables

Zuthaka: A Collaborative Free Open-Source Command & Controls (C2s) Integration Framework

Lucas Bonastre
Alberto Herrera

Date: Wednesday, August 10 | 4:00pm-5:30pm ( Business Hall — Arsenal Station 8 )

Tracks: Malware Offense, Vulnerability Assessment

Session Type: Arsenal

A collaborative free open-source Command & Control development framework that allows developers to concentrate on the core function and goal of their C2.
Zuthaka presents a simplified API for fast and clear integration of C2s and provides a centralized management for multiple C2 instances through a unified interface for Red Team operations.
Zuthaka is more than just a collection of C2s, it is also a solid foundation that can be built upon and easily customized to meet the needs of the exercise that needs to be accomplished. This integration framework for C2 allows developers to concentrate on a unique target environment and not have to reinvent the wheel.
After we first presented Zuthakas’ MVP at Black Hat USA 2021, we are now presenting the first release with a live demo lab to share the possibilities of integration and flexibility of Red Team infrastructure.

Patronus: Swiss Army Knife SAST Toolkit

Akhil Mahendra
Ashwin Shenoi
Akshansh Jaiswal

Date: Thursday, August 11 | 10:00am-11:30am ( Business Hall — Arsenal Station 3 )

Tracks: Vulnerability Assessment, Code Assessment

Session Type: Arsenal

Patronus is a fully dockerised and comprehensive config driven Security Framework which helps to detect security vulnerabilities in the Software Development Life Cycle of any application. The framework inculcates a highly automated approach for vulnerability identification and management. With Patronus’s fully whitebox approach, the framework currently covers four major verticals; Secrets Scanning, Software Composition Analysis, Static Application Security Testing and Asset Inventory. Finding all these four verticals together is a very strenuous task in the industry as no other framework currently solves this like Patronus which provides a fully comprehensive dashboard containing all the four verticals in a single central platform, and this is something very unique to Patronus. Patronus automatically identifies the latest code commits and focuses on the major aspects of the application source code to identify and detect key and high severity vulnerabilities within the application and aims for minimal false positives in the reports.

The framework focuses on the needs of the security engineers and the developers alike with a dedicated web dashboard to abstract all the nitty gritty technicalities of the security vulnerabilities detected and also empowers the user with higher level of vulnerability tracking for better patch management. The dashboard is built completely with analytics, functionality and maintaining ease in mind to demonstrate and display various metrics for the scans and vulnerabilities. It also helps to search, analyze and resolve vulnerabilities on-the-go and provides a completely consolidated vulnerability report.

Patronus is very powerful and hugely reduces the time and efforts of the security team in thoroughly reviewing any application from a security lens. The framework comes with an on-demand scanning feature apart from the scheduled daily automated scans, using which developers and security engineers can scan particular branches and repositories at any point of time in the SDLC, directly from the dashboard or integrations like Slack. The framework is completely adaptable and various software like Slack and Jira can be easily integrated directly with Patronus for better accessibility and tracking since most organizations today use these extensively.

IR(Inreared) BadUSB attack

Michihiro Imaoka

Date: Thursday, August 11 | 11:30am-1:00pm ( Business Hall — Arsenal Station 4 )

Tracks: Hardware / Embedded, Internet of Things

Session Type: Arsenal

Conventional BadUSB executes a pre-programmed key sequence upon insertion.
This lecture reports a new vulnerability that arises from the addition of an IR receiver element to the traditional BadUSB, such as the IR Infrared Receiver TL1838 VS1838B 1838 38Khz.
The addition of this element allows an external operator to execute key sequences at arbitrary times. Multiple pre-programmed key sequences can be selected at will by external operation.

Detecting Typo-Squatting, Backdoored, Abandoned, and Other “Risky” Open-Source Packages Using Packj

Ashish Bijlani

Date: Thursday, August 11 | 1:00pm-2:30pm ( Business Hall — Arsenal Station 4 )

Track: Malware Defense

Session Type: Arsenal

Software supply chain attacks on open-source software ecosystems, particularly on popular package managers such as NPM, PyPI have increased tremendously in the last few years. Today, developers must thoroughly analyze packages, and avoid risky packages that may expose them to high levels of supply chain risks.

But, there exists no tool to measure supply chain risks lurking in open-source packages. Current practices include sourcing only mature, stable, popular, and reputable packages, where such attributes are inferred from publicly available metrics, such as GitHub stars, package downloads, and software development activity. However, such vanity metrics do not reveal true information about the security posture of packages. More importantly, an attacker-controlled bot can easily manipulate such metrics. Manually vetting hundreds of dependencies is infeasible.

In this talk, we will present our open-source command line vetting tool, called Packj that allows developers to easily analyze dependencies for “risky” code/attributes and provide actionable insights into their security posture. In this presentation, we will cover the technical details of our tool and discuss its usage. Packj tool powers also our large-scale security vetting infrastructure that continuously analyzes millions of published packages, and provides detailed risk assessment reports. We have already detected a number of abandoned, typo-squatting, and malicious packages. We will present our findings, highlight different types of attack techniques adopted by bad actors, and discuss measures that developers can take to thwart such attacks. With our work, we hope to enhance productivity of the developer community by exposing undesired behavior in untrusted third-party code, maintaining developer trust and reputation, and enforcing security of package managers.

Suborner: A Windows Bribery for Invisible Persistence

Sebastián Castro

Date: Thursday, August 11 | 1:00pm-2:30pm ( Business Hall — Arsenal Station 8 )

Tracks: Exploitation and Ethical Hacking, Malware Offense

Session Type: Arsenal

Whenever an attacker is trying to persist the access on a compromised machine, the first offensive approach usually involves the creation of a new identity. Nevertheless, this may not work easily under hardened environments with diverse detection mechanisms against common attack vectors.

What if we “suborn” Windows to create our own hidden account that will grant us total access to a victim, while stealthily impersonating any account we want?

Now it is possible with the Suborner Attack.

This technique will dynamically create an invisible machine account with custom credentials and custom properties without calling any user management Win32 APIs (e.g. netapi32.dll::netuseradd) and therefore evading detection mechanisms (e.g Event IDs 4720, 4721). By “suborning” Windows, we can also impersonate any desired account to keep our stealthiness even after a successful authentication/authorization.

To show its effectiveness, the attack is going to be demonstrated against the latest Windows version available.

Octopii — AI-powered Personal Identifiable Information (PII) scanner

Owais Shaikh

Date: Thursday, August 11 | 2:30pm-4:00pm ( Business Hall — Arsenal Station 4 )

Track: OSINT — Open Source Intelligence

Session Type: Arsenal

Octopii is an open-source AI-powered Personal Identifiable Information (PII) scanner that can look for image assets such as Government IDs, passports, photos and signatures in a directory.

SquarePhish: Combining QR Codes and OAuth 2.0 Device Code Flow for Advanced Phishing Attacks

Nevada Romsdahl
Kam Talebzadeh

Date: Thursday, August 11 | 2:30pm-4:00pm ( Business Hall — Arsenal Station 8 )

Tracks: Exploitation and Ethical Hacking, Human Factors

Session Type: Arsenal

SquarePhish is an advanced phishing tool that uses a technique combining the OAuth Device code authentication flow and QR Codes.


Are Hackers Haunting Your Nightmares?

Todd Moore | Vice President, Encryption Products, Thales

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Data & Collaboration Security

Ransomware has become one of the most prevalent threats. According to the 2022 Thales Data Threat Report, 21% of organizations have experienced a ransomware attack and nearly half of all organizations reported an increase in cyberattacks over the past 12 months. As a result, the White House and other government agencies, such as NIST, have provided security frameworks on how to protect sensitive data. This session will focus on the current security landscape, operational threats and sharing some best practices to help you sleep well at night.

Beyond the BS: Cut Through Security Marketing to See the Truth in the Tech

Kate Adam | Senior Director Enterprise Product Marketing, Juniper Networks

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Infrastructure Protection

Think you’re immune to marketing? The security market is full of marketing “fluff” that disguises bad products and glosses over shortcomings. Let’s get to the bottom of what security tech can really do vs. what vendors say it can do, and why the difference matters.

Don’t Trust Your Inbox

Austin Munro | Product Expert, Clouflare Area 1

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Cloud Security

E-mail continues to be the leading cause of cyber security incidents. This session will show how Cloudflare Area 1 protects against these attacks. Cloudflare Area 1 is a cloud-native email security platform. It crawls the Internet to stop phishing, Business Email Compromise (BEC), and email supply chain attacks at the earliest stages of the attack cycle. Area 1 enhances built-in security from cloud email providers with deep integrations into Microsoft and Google environments and workflows.

Exploring the Risks of Subdomain Takeovers

Marcos Lira | Senior Sales Engineer, Halo Security

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Application Security, Security Operations & Incident Response

Subdomain takeovers pose a serious threat to organizations worldwide. Even large corporations like Microsoft, Uber, and Starbucks have been found to be vulnerable to this type of attack which can often go undetected for weeks or months on end.

In this session, we’ll break down the different types of subdomain takeovers and the detrimental effects they can have on your business and customers. We’ll take a close look at how simple it is for an attacker to take over a subdomain with a live demonstration and share actionable recommendations for preventing and mitigating the risk of subdomain takeovers.

Gaining Initial Access by Exploiting Publicly Exposed Secrets in Git Repositories and Docker Images

Mackenzie Jackson | Developer Advocate, GitGuardian

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Application Security, Cloud Security

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which scanned all public activity on GitHub throughout 2021 uncovering over 6 million secrets leaked inside public git repositories and public docker images. We will look how adversaries are leveraging this weakness to exploit organization and gain access to private systems by breaking down three recent successful attacks, all of which used different methods to extract publicly exposed secrets that granted initial access to the attackers.


Hack Your Pentesting Routine: Not Another Boring Product Demo

Nick Popovich | Hacker in Residence, PlexTrac

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Data & Collaboration Security, Security Operations & Incident Response

This isn’t your typical vendor product demo. Instead, this is a technical demonstration of real-world security assessment activity, including network penetration testing, red teaming, purple teaming, and AppSec assessments. The findings derived from the previous assessments will be added to the PlexTrac platform to demonstrate how to effectively prioritize, track, remediate and report on discovered vulnerabilities. The goal is to showcase the efficiency that using the PlexTrac platform can afford organizations across many verticals from private sector to government, from consultancies and MSSPs to enterprises. The PlexTrac platform transforms the way the real cybersecurity work gets done.

Hey, Adversary: Your Domains are Showing!

Tim Helming | Security Evangelist, DomainTools

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response

Lookalike domains are implicated in many different kinds of incursions and attacks, from spear phishing to ransomware to vendor compromise. Yet, most of the time, the first that defenders know about such domains is when they are being used against them. Being able to identify such domains before they are operationalized can significantly reduce risk. In this session, you will learn how you can leverage the world’s fastest new-domain discovery engine to identify and monitor domains that spoof your organization or others in your trusted ecosystem, and how DomainTools customers find threats some 80% faster.

How to Defend an Event Such as the Super Bowl

Tomas Maldonado | CISO for the NFL, Cisco
Neville Letzerich | VP, Marketing, Cisco

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Infrastructure Protection, Security Operations & Incident Response

In the new hybrid work world, protecting the integrity of your business to withstand unpredictable threats is our reality-together. Cisco is here to bring the power of our collective portfolio across security and networking to protect your business. Join us as we chat with Tomás Maldonado, CISO for the NFL, on how he and his team prepared to defend the world stage event, the Super Bowl.

Inside a Ransomware Hacker’s Mind

Terry McGraw | Executive Senior Consultant, IT Security, Secureworks

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Security Operations & Incident Response

What’s the profile of a modern-day hacker? They’re rarely what we see portrayed in the media. In this session, learn what makes a hacker tick: their behaviors, methods, and motivations. By understanding our adversaries’ mindsets, we can better prepare to protect against today’s #1 threat of ransomware.

Lessons Never Learned: Attack Surface Management has Failed Since the 70s

Joel Fulton | CEO, Lucidum

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Cloud Security, Security Operations & Incident Response

Dramatic improvements in security posture do happen, just never the way we’re led to believe. From the earliest days of mainframes and terminals to the modern infrastructure as code and SASE, the same problems remain. We’ve never gotten past mullets, bell bottoms, or paisley. We take a serious look at the root cause, the lever to change it, and challenge the current thinking by looking at the tactical changes which yield immediate, effective results.

Navigating the Dark Corners of Social Engineering Attacks

James Alliband | Senior Product Strategy Manager, Tessian

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Cloud Security

Attackers have successfully infiltrated organizations through advanced social engineering techniques that exploit human behavior and vulnerabilities, and lead to some of the worst data breaches in history. And the primary delivery method is email. We’ll take you through some of the worst social engineering attacks found by Tessian’s Threat Intelligence Team and what you can do to stop them.

Project Circuit Breaker, A Community of Elite Hackers

Katie Trimble-Noble | Director Product Security and Bug Bounty, Intel

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Security Operations & Incident Response

Project Circuit Breaker is a community of elite hackers — fixers and breakers — that hunt bugs in firmware, hypervisors, GPUs, compromising chipsets, pwning processors and much more. Missions include live hacking events on the latest Intel products, and even some pre-release opportunities, immersive training, and Capture the Flag events. Game Masters, Intel engineers, work closely with participants, and the community is encouraged to learn from each other. This isn’t your usual Bug Bounty program. Challenges are focused on some of the biggest hurdles and bounties are multiplied.

Real Talk: Your Path to Passwordless Still Includes Passwords

Christofer Hoff | Chief Secure Technology Officer, LastPass

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Cloud Security, Identity and Access Management (IAM)

Passwordless authentication is a critical component of any zero-trust architecture and bringing that to users at scale is how businesses enable greater convenience for end users and stronger security with a narrowed attack surface. While broad implementation and adoption of passwordless is and should be the goal, it will inevitably take years to achieve.

Join LastPass CTO Christofer Hoff as he discusses:

• Why the pain points of passwords are the rewards of going passwordless

• The requirements for making passwordless a widely-adopted reality

• How passwordless can be achieved today

Security Is a People Problem First, and a Technology Problem Second

Chris Bream | VP of Engineering, 1Password

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Identity and Access Management (IAM), Risk, Compliance and Security Management

Security strategies often start with the technology stack, forcing people to adapt to those tools and processes. But a tools-first approach ignores fundamental aspects of human psychology. That approach directly leads to poor security outcomes by introducing unnecessary complexity and creating tension between security and productivity.

In this talk, we’ll touch on original research that paints a clear picture of a changing threat landscape. Then we’ll cover how the old way of thinking hampers our ability to secure those threats, and why closing the gap requires starting with a firm grasp of human behavior and business goals.

The CVSS Fallacy — Can You Trust the World’s Most Popular Vulnerability Metric?

Brian Moussalli | Security Research Tech Lead, JFrog

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Risk, Compliance and Security Management

The NVD defines one of the usages of CVSS as “a factor in prioritization of vulnerability remediation” and it is the current de-facto vulnerability metric, often seen as infallible guidance and a crucial element in many compliance processes. In our session we will go over real-world CVE examples, demonstrating cases and entire categories where CVSSv3.1 falls short of providing an accurate assessment, both due to its design and its various mishandlings. The session will also touch upon specific indicators in the CVE description that can raise the confidence in a CVSS score, and vice versa.

Turning a Hacker’s Toolkit Against Them

Jack Chapman | VP of Threat Intelligence, Egress

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Tracks: Data & Collaboration Security, Security Operations & Incident Response

Toolkits make a hacker’s life easy and democratize cyber crime. They are constantly evolving, and it is imperative that defenders understand how they work so that they can create defenses against them. In this session we will present the findings from our latest research into the tools that support the early stages of an attack:

  • Reconnaissance — the latest tools an attacker uses to discover what security controls their target has in place
  • Weaponization — guided walk through of how easy tool kits are to acquire and how they are used
  • Delivery — toolkits for the dominant threat channel, email

Using Artificial Intelligence to Disrupt Automated Threat Analysis

Marian Radu | Data Science, CrowdStrike
Liviu Arsene | Director, Threat Research and Reporting, CrowdStrike

Date: Wednesday, August 10 | 8:00am-8:15am ( Virtual )

Format: 15-Minute On-Demand Zone Sponsored Session

Track: Endpoint Security

Is detonating threats in a sandbox enough? Is AI a valuable tool for analyzing advanced threats? Detecting today’s threats requires added capabilities like sandbox memory and network traffic scanning, driven by AI. We tune these capabilities to detect advanced attacks that would bypass standard detections. The presentation will discuss how sophisticated malware behaves as well as gain a unique perspective into how machine learning analyzes sophisticated malware behavior. Participants will experience a fresh perspective into how CrowdStrike cybersecurity analysts build machine learning systems to combat advanced malware. Learn more on the current capabilities of disruptive automated threat analysis driven by AI.

Entry-Level Drone Exploitation

Vikas Sharma | Cyber Security Researcher, Technology Innovation Institute
Siwar Kriaa | Security Researcher, Technology Innovation Institute
Mikhail Lubinets | Senior Security Engineer, Technology Innovation Institute

Date: Wednesday, August 10 | 10:20am-12:20pm ( Oceanside E )

Format: 120-Minute Sponsored Workshop

Tracks: Application Security, Endpoint Security

How Darktrace Helps the City of Las Vegas Harden Its Attack Surface

Nicole Eagan | Chief Strategy Officer, Darktrace
Justin Fier | Tactical Risk and Response, Darktrace
Michael Sherwood | Chief Innovation Officer, he City of Las Vegas

Date: Wednesday, August 10 | 10:20am-11:10am ( Mandalay Bay I )

Format: 50-Minute Sponsored Session

Track: Risk, Compliance and Security Management

A challenge for security teams is understanding and prioritizing the real risks their organizations face. Smart Cities, like the City of Las Vegas, are no exception. Beyond general vulnerabilities, what paths might an attacker take to cause the most disruption? Applying AI research led Darktrace experts to discover, simulate, and prioritize external and internal cyber risk for customers like the City of Las Vegas. While threats increase in complexity, hear how a new technology in preventative security goes far beyond shiny tools to streamline continuous testing of controls to ensure real world risks are mitigated.

Insert Coin to Continue… Ransomware in the Gaming Industry

Stefano Maccaglia | Practice Manager Incident Response, NetWitness

Date: Wednesday, August 10 | 11:30am-12:20pm ( Mandalay Bay J )

Format: 50-Minute Sponsored Session

Track: Security Operations & Incident Response

The online gaming industry is among the most advanced in terms of cybersecurity measures. Featuring sophisticated security operations, these companies employ the use of firewalls, proxies, and encrypted connections, as well as multi-factor authentication to protect users against identity theft.

Nevertheless, cyber-attacks still take place continuously and challenge even the best security teams. Many online casinos have prepared disaster recovery plan strategies for damage control and fast recovery, but how do they react when a sophisticated ransomware actor goes on stage? What are the common, and less-common, pitfalls of a cybersecurity plan in the gaming industry? This session will cover these questions and present two cases to illustrate.

Lessons from Ukraine: What Cisco Talos Threat Researchers Learned from Defending Critical Infrastructure in Ukraine

Ashlee Benge | Strategic Intelligence & Data Unification, Cisco
JJ Cummings | Principal Engineer — National Security Lead , Cisco

Date: Wednesday, August 10 | 12:05pm-1:05pm ( CCMR Palm A )

Format: 60-Minute Lunch & Learn


As Cisco Talos defenders, our day-to-day life consists of making decisions for every Cisco Secure customer. This February, we took on defending over 30 critical infrastructure customers in Ukraine by directly managing and monitoring their endpoint security. Through this operation, our focus has shifted from a global vendor to making decisions for a distinct set of companies during wartime in their country. As we adapted to this new reality, so have many other defenders as cyber risks to an organization have vastly changed in today’s geopolitical landscape.

This talk will cover our experience in defending critical infrastructure during the war and our lessons learned. From the importance of operational set-up to clear and concise business communications we’ll walk you through how we have set up a company-wide response effort, what a day looks like, and demonstrate global detections with an example hunt. We start from the beginning, laying out our background in Ukraine and partnerships with law enforcement organizations, such as the Cyberpolice Department of the National Police of Ukraine. We will pivot into how we specifically set up our response, including threat hunting teams and directing a group of over 650+ volunteers tracking open-source intelligence and dark web channels.

Using Data Mining to Uncover Psychological Cyber Warfare Tricks and How to Prepare Your End-Users

Tiffany Ricks | CEO, HacWare

Date: Wednesday, August 10 | 12:05pm-12:25pm ( Business Hall Theater C )

Format: 20-Minute Innovation Session

Tracks: Data & Collaboration Security, Risk, Compliance and Security Management

This session will explain how we used data mining to show how social engineering attacks have evolved into psychological cyber warfare. The session explores the motive behind phishing lures, risky behaviors, and how to prepare your end-users during cyber wartimes.

Go Hack Yourself: 5 Crazy Ways NodeZero Became Domain Admin

Snehal Antani | CEO and Co-founder,

Date: Wednesday, August 10 | 12:40pm-1:30pm ( Mandalay Bay J )

Format: 50-Minute Sponsored Session

Tracks: Cloud Security, Risk, Compliance and Security Management

Attackers don’t have to “hack in” using zero-day vulnerabilities. Often, attackers log in by chaining together misconfigurations, dangerous product defaults, and exploitable vulnerabilities to harvest and reuse credentials.

This session will discuss five real-world attacks that enabled to become domain administrator, gain access to sensitive data, take over cloud VPCs, and compromise critical business systems. In most instances no security alerts were triggered despite having state-of-the-art security tools in place. Attendees will learn how they can find, fix, and verify the remediation of exploitable attack paths so they can proactively harden their enterprise and better detect and stifle attackers.

The Security Mandates of the New State Privacy Laws Enforceable in 2023

Scott Giordano | V.P., Corporate Privacy, Spirion

Date: Wednesday, August 10 | 3:00pm-3:50pm ( Mandalay Bay I )

Format: 50-Minute Sponsored Workshop

Track: Risk, Compliance and Security Management

In 2023, no fewer than five new state “rights based” privacy laws will come into force, including the California Privacy Rights Act (CPRA). With these new laws come a list of information security mandates, many of which could be a law by themselves. Risk assessments, audits, and validation of consumer rights requests are now part of that list, requiring an approach that is decidedly different from traditional, risk-based mandates like HIPAA or GLBA. In this presentation, an InfoSec legal veteran will take a deep dive into these laws and explain what they mean for you and your InfoSec program.

Dissecting an Attack on the Browser and How to Prevent It

Alon Levin | VP Product Management, Seraphic

Date: Thursday, August 11 | 1:15pm-1:35pm ( Business Hall Theater C )

Format: 20-Minute Innovation Session

Tracks: Endpoint Security, Risk, Compliance and Security Management

In this session we will dissect a recent browser attack, looking into the methods that were used to exploit the browser and the potential impact of such attack. In addition, we will talk about how such attacks can be prevented in different stages.

Tales from the Trenches: What We Learned from Log4j

Liran Tancman | CEO, Rezilion
Roger Martinez | Sr. Information Security Engineer, Ziff Davis
Chris Wilder | Senior Analyst and Director of Research , TAG Cyber
Yotam Perkal | Head of Vulnerability Research, Rezilion NA

Date: Thursday, August 11 | 3:00pm-3:50pm ( Mandalay Bay I )

Format: 50-Minute Sponsored Session

Tracks: Application Security, Cloud Security

The security industry was abuzz when a flaw in Apache’s Log4j software was first revealed in December. Known as Log4Shell, the critical vulnerability has a huge attack surface, ease of exploitation, and severe potential impact. Research finds that many instances of the flaw remain unpatched, putting a massive number of organizations at risk. Because of the complexity in detecting Log4Shell, analysts say the implications of the bug are far-reaching and will likely be exploited for years to come. Join us as we discuss what was learned during the first months of Log4Shell and what it means for vulnerability management strategy as a whole.


This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)

KEYNOTE — Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed

Kim Zetter | Investigative Journalist

Date: Thursday, August 11 | 9:00am-10:00am ( Oceanside (Level 2) )

Format: 60-Minute Keynote

Track: Keynote

When Stuxnet was discovered in 2010, it shone a light on vulnerabilities in critical infrastructure that few had noticed before. The security community, largely focused on IT networks, had its eyes opened to a vast sector it had previously ignored — the operational networks and industrial control systems that manage pipelines, railways, the electric grid, water treatment plants, manufacturing and so many other pivotal industries. Cybersecurity suddenly became inextricably linked to national security. But it shouldn’t have been a surprise to anyone.

Likewise, that same year, the Aurora campaign that hit Google, RSA and dozens of other companies, launched a new era of massive espionage and supply-chain hacks. Threat actors became more sophisticated, and their operations more consequential — witness the OPM hack, DNC breach, NotPetya and SolarWinds. But the growing sophistication of operations shouldn’t have been a surprise to anyone.

A lot has changed in cybersecurity in the years since BlackHat was founded and Stuxnet was discovered, and a lot of advancements have been made. Yet despite a multi-billion dollar security industry and increased government focus on threats, the world is still surprised when threat actors pivot to new, but often wholly predictable, directions.

There are few things that truly blindside us, however. The rest cast signals long before they occur. What happened with Colonial Pipeline was foreseeable, as was the growing threat of ransomware and the problems created by security issues with voting systems.

Today we are seeing new signals that portend what’s to come. We see them in Ukraine, we see them in Iran, and we see them in the U.S. At BlackHat’s 25-year mark, it’s important not only to look back at where we came from — but also where we are headed. There’s a lot of activity in cyberspace that heralds the latter. Is anyone paying attention?

Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling

James Kettle | Director of Research, PortSwigger

Date: Wednesday, August 10 | 10:20am-11:00am ( Mandalay Bay GH (Level 2) )

Format: 40-Minute Briefings

Track: Application Security

The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling near-complete compromise of numerous major websites. However, the threat has been confined to attacker-accessible systems with a reverse proxy front-end… until now.

In this session, I’ll show you how to turn your victim’s web browser into a desync delivery platform, shifting the request smuggling frontier by exposing single-server websites and internal networks. You’ll learn how to combine cross-domain requests with server flaws to poison browser connection pools, install backdoors, and release desync worms. With these techniques, I’ll compromise targets including Apache, Akamai, Varnish, Amazon, and multiple web VPNs.

This new frontier offers both new opportunities and new challenges. While some classic desync gadgets can be adapted, other scenarios force extreme innovation. To help, I’ll share a battle-tested methodology combining browser features and custom open-source tooling. We’ll also release free online labs to help hone your new skillset.

I’ll also share the research journey, uncovering a strategy for black-box analysis that solved several long-standing desync obstacles and unveiled an extremely effective novel desync trigger. The resulting fallout will encompass client-side, server-side, and even MITM attacks; to wrap up, I’ll live-demo breaking HTTPS on Apache.

Industroyer2: Sandworm’s Cyberwarfare Targets Ukraine’s Power Grid Again

Robert Lipovsky | Principal Threat Intelligence Researcher, ESET
Anton Cherepanov | Senior Malware Researcher, ESET

Date: Wednesday, August 10 | 10:20am-11:00am ( Islander EI (Level 1) )

Format: 40-Minute Briefings

Tracks: Malware, Cyber-Physical Systems

Industroyer2 — a new version of the only malware to ever trigger electricity blackouts — was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout — this time against two million+ people and with components amplifying the impact, making recovery harder.

We believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia’s GRU.

Our talk covers the technical details: our reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware — circuit breakers and protective relays — using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 “speaks” just one: IEC-104.

We also provide a higher-level analysis of the attackers’ modus operandi and discuss why and how the attack was mostly unsuccessful. One of the most puzzling things about Industroyer has been the stark contrast between its sophistication and its impact: a blackout lasting one hour in the middle of the night is not the worst it could’ve achieved. Industroyer2 didn’t even accomplish that.

Even though it didn’t cause any significant outage, the attack did cause disruption — mostly through multiple pieces of destructive wiper malware, including CaddyWiper. We discuss this and other malware accompanying Industroyer2, and other cyberattacks we have discovered in Ukraine, since Russia’s 2022 invasion, and in the eight years since the war in Donbas began.

Finally, we present actionable advice for defenders, including: log entries to check; EDR rules to consider; configuration options to hamper Sandworm compromise and lateral movement; and detection/hunting rules for Snort and YARA. By sharing our extensive experience tracking Sandworm, attendees will leave better able to protect their infrastructure and hunt for traces of Sandworm.

Devils Are in the File Descriptors: It Is Time To Catch Them All

Le Wu | Security Researcher, Baidu

Date: Wednesday, August 10 | 11:20am-12:00pm ( Jasmine (Level 3) )

Format: 40-Minute Briefings

Tracks: Cloud & Platform Security, Lessons Learned

“Everything is a file” describes an important feature of Unix. File descriptor or fd is widely used in the Linux kernel. Exporting an fd to user space and importing an fd from user space are very common and basic operations in the Linux kernel. However, we discovered that there are many types of high-risk vulnerabilities lurking in the usage of these operations.

We discovered that the usage of fd importing operations in the Linux kernel can be a very vulnerable scenario. Several new types of vulnerabilities were found in the scenario and will be revealed for the first time. We also found that known types of vulnerabilities like type confusion are still widespread in the scenario unexpectedly. Moreover, we found a dozen vulnerabilities in the usage of fd exporting operations in kernels. These vulnerabilities exist in the Linux and Android kernels, affecting millions of devices. A comprehensive overview of vulnerabilities in the usage of fd operations will be summarized and thoroughly disclosed in this presentation.

We discovered some interesting facts about the vulnerabilities in the usage of fd operations. First, the GPU drivers are more vulnerable. Examples of vulnerable ones include ARM mali GPU driver, AMD GPU driver, etc. Second, the kernel drivers which use the dma-buf interfaces are more vulnerable in the above examples. Third, because of the peculiarities of these vulnerabilities, some of them can hardly be found by fuzzers like syzkaller. We will delve deeper into these facts in the presentation.

To overcome the difficulty of finding the vulnerabilities in the usage of fd operations, we developed several creative methods to guide fuzzers. With the help of such methods, we can easily find the vulnerabilities in the above-described scenarios. Coding tips will also be given for the purpose of preventing such vulnerabilities related to file descriptors.

Better Privacy Through Offense: How To Build a Privacy Red Team

Scott Tenaglia | Engineering Manager, Privacy Red Team, Meta

Date: Wednesday, August 10 | 11:20am-12:00pm ( South Seas AB (Level 3) )

Format: 40-Minute Briefings

Tracks: Privacy, Lessons Learned

Red teams are an important component of a holistic cyber security program because they test how well the program stands up to threats from real adversaries. In 2021, Meta created a privacy red team to help improve our privacy posture and preserve the privacy of our ~3 billion users and their data. Based on that experience, we present the case for why a privacy-focused red team is an important part of a holistic privacy program.

In this talk, you’ll learn what a privacy red team is, how it’s different from a security red team, the challenges we faced, and examples of real operations we performed. You’ll walk away with a better understanding of how privacy red teaming can benefit your organization, and the role that offense can play in your privacy defense.

Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal

Lennert Wouters | PhD Researcher, imec-COSIC, KU Leuven

Date: Wednesday, August 10 | 11:20am-12:00pm ( Islander EI (Level 1) )

Format: 40-Minute Briefings

Tracks: Hardware / Embedded, Reverse Engineering

The SpaceX operated Starlink low Earth orbit satellite constellation aims to provide satellite internet coverage to the whole world. The widespread availability of Starlink User Terminals (UT) exposes them to hardware hackers and opens the door for an attacker to freely explore the network. The recent Viasat attack demonstrates a need for satellite communication security and the impact security vulnerabilities can have on UTs that are often deployed in isolated locations.

This presentation covers the first black-box hardware security evaluation of the SpaceX Starlink UT. The UT uses a custom quad-core Cortex-A53 System-on-Chip (SoC) that implements verified boot based on the ARM trusted firmware (TF-A) project. The early stage TF-A bootloaders, and in particular the immutable ROM bootloader include custom fault injection countermeasures. Despite the black-box nature of our evaluation we were able to bypass firmware signature verification during execution of the ROM bootloader using voltage fault injection.

Using a modified second stage bootloader we could extract the ROM bootloader and eFuse memory. Our emulation based analysis demonstrates that the fault model used during countermeasure development does not hold in practice. Our voltage fault injection attack was first performed in a laboratory setting and later implemented as a custom printed circuit board or ‘modchip’. Our attack results in an unfixable compromise of the Starlink UT and allows us to execute arbitrary code.

The ability to obtain root access on the Starlink UT is a prerequisite to freely explore the Starlink network. This presentation will cover an initial exploration of the Starlink network and provides some details on the communication links. Other researchers should be able to build on our work to further explore the Starlink ecosystem.

The documented attacks were performed within the scope of the SpaceX Bug Bounty program and were responsibly disclosed.

The Growth of Global Election Disinformation: The Role and Methodology of Government-linked Cyber Actors

Sandra Quincoses | Intelligence Analyst, Nisos

Date: Wednesday, August 10 | 11:20am-12:00pm ( Lagoon HI (Level 2) )

Format: 40-Minute Briefings

Tracks: Human Factors, Defense

Nisos researchers uncovered a prolific disinformation campaign focused on Colombia’s May 2022 elections in which Venezuelan leftist organizations are driving social media narratives in support of current leftist, Colombian Presidential Candidate, and former M-19 revolutionary member, Gustavo Petro. Prior to its suspension from Twitter, @ChalecosAmarill, used a mix of true and misleading information to advocate for presidential candidates with foreign policy positions favorable to U.S. adversaries, which increased its legitimacy and made disinformation difficult to detect. Its social media activities also include engagement with bot/sock puppet social media networks involved in information operations with the aim of influencing the digital environment, especially in Colombia.

Our assessment concludes a high likelihood that Venezuelan left-wing supporter, Rafael Nuñez and his pro-Venezuelan digital marketing associates are responsible for the content found on @ChalecosAmarill’s Twitter account and engagement with known bot/sock puppet networks running various Colombia-focused digital campaigns in favor of Petro. Additionally, it is likely that Nuñez’s efforts are a result of Venezuelan government interests.

Google Reimagined a Phone. It was Our Job to Red Team and Secure it.

Farzan Karimi | Red Team Lead, Google
Eugene Rodionov | Senior Security Researcher, Google
Xuan Xing | Senior Security Researcher, Google
Christopher Cole | Red Team Lead, Google

Date: Wednesday, August 10 | 1:30pm-2:10pm ( South Pacific F (Level 0 — North Convention Center) )

Format: 40-Minute Briefings

Tracks: Mobile, Hardware / Embedded

Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6. From a security perspective, this meant rather than using code that had been tested and used for years, there was a new stack of high value device firmware we needed to get right the first time.

This talk will go over how Android secured the reimagined Pixel 6 before its launch, focusing on the perspective of the Android Red Team. The team will demonstrate how fuzz testing, black box emulators, static analysis, and manual code reviews were used to identify opportunities for privileged code execution in critical components such as the first end-to-end proof of concept on the Titan M2 chip, as well as ABL with full persistence resulting in a bypass of hardware key attestation. Finally, the Android Red Team will demonstrate multiple security-critical demos. This work showcased the value of red teaming, ensuring a more secure and safe Pixel 6 before its release.

Internal Server Error: Exploiting Inter-Process Communication in SAP’s HTTP Server

Martin Doyhenard | Security Researcher, Onapsis

Date: Wednesday, August 10 | 1:30pm-2:10pm ( Islander EI (Level 1) )

Format: 40-Minute Briefings

Tracks: Enterprise Security, Application Security

More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP’s software to keep their business up and running. At the core of every SAP deployment is the Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses.

This talk will demonstrate how to leverage two memory corruption vulnerabilities found in SAP’s proprietary HTTP Server, using high-level protocol exploitation techniques. Both techniques, CVE-2022–22536 and CVE-2022–22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet.

First, by escalating an error in the HTTP request-handling process, this presentation will show how to desynchronize ICM data buffers and hijack every user’s account with advanced HTTP Smuggling. Furthermore, as the primitives of this vulnerability do not rely on parsing errors, a new technique will be introduced to take over a system, even in an “impossible to exploit” scenario — without a proxy! This will include a demo of the first desync botnet, using nothing more than JavaScript and Response Smuggling concepts.

Next, this talk will examine a Use After Free vulnerability in the shared memory buffers used for Inter-Process Communication. By exploiting an incorrect deallocation, it was possible to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.

Finally, as the affected buffers are also used to contain Out Of Bounds data, a method to corrupt address pointers and obtain Remote Code Execution will be explained.

The Internet Communication Manager Advanced Desync (ICMAD) vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency, as well as CERTs from all over the world, proving the tremendous impact they had on enterprise security.

The Cyber Safety Review Board: Studying Incidents to Drive Systemic Change

Robert Silvers | Undersecretary for Policy, Department of Homeland Security
Heather Adkins | Vice President of Security Engineering, Google
Jeff Moss | Former Chief Security Officer and VP at ICANN, Founder of Black Hat and DEF CON Conferences, U.S. Department of Homeland Security Advisory Council

Date: Wednesday, August 10 | 1:30pm-2:10pm ( Lagoon KL (Level 2) )

Format: 40-Minute Briefings

Tracks: Policy, Application Security

Join Rob Silvers (DHS Undersecretary for Policy and Chair of the Cyber Safety Review Board) and Heather Adkins (Deputy Chair and Vice President, Security Engineering, Google) for a discussion about the Cyber Safety Review Board’s inaugural review of the Log4j vulnerability. Rob and Heather will talk about key report findings, how industry and government can implement the recommendations, and how the Board is changing the cyber ecosystem.

Trying to Be Everything to Everyone: Let’s Talk About Burnout

Stacy Thayer | Ph.D, Clinical and Organizational/Business Psychology, Norfolk State University

Date: Wednesday, August 10 | 1:30pm-2:10pm ( Lagoon HI (Level 2) )

Format: 40-Minute Briefings

Track: Community & Career

Research shows computer security professionals describe the computer security industry as a high-risk yet high-reward profession with negative effects on the workforce. There is an estimated 805,000 computer security professionals working in the US, but meeting the business demand for computer security professionals would require 62% industry growth. This leaves those in the field understaffed and highly stressed, ultimately leading to burnout. Stress and burnout can lead to mental fatigue, which can negatively impact motivation and engagement. It can also cause diminishing focus and performance levels, and have a negative impact on operational security, satisfaction, and performance, both in the office and at home. This talk will discuss the existing research on burnout in the computer security industry and will discuss what really causes burnout, why it happens, and what you can do to mitigate it, including setting healthy boundaries, avoiding guilt, realistic ways to manage anxiety, and honest self-talk so you can identify what is needed to refill your energy and passion.

I will discuss how to recognize burnout in hidden places and explore the root causes of it.

I will address what to do about it — going beyond simply meditation, exercise, and healthy eating. If it was that easy, we would all be doing that. This talk is unique in that it will utilize a knowledge of practical psychology to keep it real and use behavioral change models as a guide for reducing burnout. How do you find motivation, appreciation, and time for yourself when it feels like the world around you is demanding you give more? You will leave this talk with a better understanding of how burnout happens, your personal relationship to burnout, and an idea of what to do to help reduce, relieve, and manage it.

Smishmash — Text Based 2fa Spoofing Using OSINT, Phishing Techniques and a Burner Phone

Thomas Olofsson | CTO, FYEO Inc
Mikael Byström | Head of OSINT, FYEO Inc

Date: Wednesday, August 10 | 2:30pm-3:00pm ( Lagoon HI (Level 2) )

Format: 30-Minute Briefings

Tracks: Human Factors, Mobile

In recent years the data leaks have escalated, and leaked passwords and usernames have become a common attack vector in phishing attacks. Until recently phone numbers were commonly overlooked by attackers as well as red teams. This year has seen an increase in attacks circumventing text based 2fa.

In this talk, the researchers will show how it’s possible to gather data from publicly available sources and connect the phone numbers most likely used by two factor authentication systems to other leaked email and login credentials.

We will simulate an attack armed with your cracked password, email address and phone number.

We will show techniques and methods used by real threat actors to bypass text based 2fa using only publicly leaked data using real time attack by indexing OSINT data combined with publicly available attack tools and frameworks.

Trust Dies in Darkness: Shedding Light on Samsung’s TrustZone Keymaster Design

Alon Shakevsky | Graduate Student, Tel Aviv University
Eyal Ronen | Faculty Member, School of Computer Science, Tel Aviv University
Avishai Wool | Faculty Member, School of Electrical Engineering, Tel Aviv University

Date: Wednesday, August 10 | 2:30pm-3:00pm ( Lagoon KL (Level 2) )

Format: 30-Minute Briefings

Tracks: Mobile, Cryptography

ARM-based Android smartphones rely on the TrustZone hardware support for a Trusted Execution Environment (TEE) to implement security-sensitive functions. The TEE runs a separate, isolated, TrustZone Operating System (TZOS), in parallel to Android. The implementation of the cryptographic functions within the TZOS is left to the device vendors, who create proprietary undocumented designs.

In this work, we expose the cryptographic design and implementation of Android’s Hardware-Backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices. We reverse-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices. We also show the implications of our attacks on two higher-level cryptographic protocols between the TrustZone and a remote server: we demonstrate a working FIDO2 WebAuthn login bypass and a compromise of Google’s Secure Key Import. We discuss multiple flaws in the design flow of TrustZone based protocols. Although our specific attacks only apply to the ~100 million devices made by Samsung, it raises the much more general requirement for open and proven standards for critical cryptographic and security designs.

Invisible Finger: Practical Electromagnetic Interference Attack on Touchscreen-based Electronic Devices

Haoqi Shan | Research Assistant, University of Florida
Boyi Zhang | Research Assistant, University of Florida
Yier Jin | Associate Professor, University of Florida
Shuo Wang | Professor, University of Florida

Date: Wednesday, August 10 | 3:20pm-4:00pm ( Lagoon KL (Level 2) )

Format: 40-Minute Briefings

Tracks: Hardware / Embedded, Mobile

Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices has been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this presentation, for the first time, we show how touchscreen devices are vulnerable to Intentional Electromagnetic Interference (IEMI) attacks in a systematic and practical way.

Not only showing how practical IEMI attacks are established on touchscreens, we will also analyze and quantify the underlying mechanism allowing our novel touchscreen attacks in detail. We will show and explain how to calculate the minimum amount of electric field and signal frequency required to induce false touch events. The induced touch events allow attackers to remotely perform short-tap, long-press, and omni-directional gesture on touchscreen devices under a regular conference table without physically touching the victim devices.

Beyond simply showing how to generate touch events under an ideal scenario, we will introduce our novel and necessary techniques to build up the attack chains in a practical way, such as designing and using a phone locator to infer the position and orientation of the target smart phone out of sight, knowing if the injected IEMI signal works without seeing the screen, etc. We will show and explain how our state-of-the-art attack can be remotely used on different touchscreen devices and deliver practical attack outcomes, including unlocking gesture based pin lock, installing malware on Android devices, and connecting Siri on iOS devices.

Real ‘Cyber War’: Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine

Juan Andres Guerrero-Saade | Principal Threat Researcher, SentinelOne
Tom Hegel | Senior Threat Researcher, SentinelOne

Date: Wednesday, August 10 | 3:20pm-4:00pm ( Islander EI (Level 1) )

Format: 40-Minute Briefings

Tracks: Malware, Policy

The Russian invasion of Ukraine has included a wealth of cyber operations that have tested our collective assumptions about the role that cyber plays in modern warfare. The concept of ‘Cyber War’ has been subject to all kinds of fantastic aberrations fueled by commentators unfamiliar with the realities and constraints of real world cyber.

From the beginning of 2022, we have dealt with at least seven strains of wiper malware targeting Ukraine. The latest wiper was used to attack satellite modems with suspected spillover into critical infrastructure in Western Europe. Before this, nation-state wiper malware was relatively rare and this period of abundance is teaching us a great deal about the effects attackers can(‘t) have during military operations and what we should realistically expect in an era of hybrid warfare with cyber components.

A New Trend for the Blue Team — Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware

Sheng-Hao Ma | Threat Researcher, TXOne Networks Inc.
Mars Cheng | Manager, PSIRT and Threat Research, TXOne Networks Inc.
Hank Chen | Threat Researcher, TXOne Networks Inc.

Date: Wednesday, August 10 | 4:20pm-5:00pm ( Lagoon KL (Level 2) )

Format: 40-Minute Briefings

Tracks: Data Forensics & Incident Response, Defense

Blue Teams and anyone on the defensive side face various challenges when it comes to reverse engineering suspected malware or ransomware binaries, especially ones with obfuscation techniques such as variants, embedded exploits and complex ransomware. First, identifying whether the sample is even worth the effort (what makes it unique/challenging/new), and second, choosing either static, dynamic analysis, or both! With static analysis, you give up the ability to detect obfuscated malicious programs only visible during run-time, and dynamic analysis is both labor and time intensive, and requires a high-degree of skill and experience, not to mention the threat of the binary escaping your sandbox emulation or virtualization environment.

We believe there may be a new tool in the Blue Team’s toolbox, through the use of a symbolic execution engine to detect and analyze suspected malware/ransomware binaries. A practical symbolic engine can help by parsing through many of the possible execution paths of the binary, and having these pathways represented as symbols. This engine can help provide malicious execution paths analysis with relatively low computing resources, analyze contextual relationships based on instruction semantics, taint and fuzzy identification of obfuscated APIs.

Using our practical symbolic engine based on the combination and improvement of academic and practical research, you can identify and detect various exploit, techniques, and multiple malware/ransomware variants via symbolic signature attack techniques and ransomware behaviors in a fully static situation. Even if the malware binary is obfuscated, we can still statically analyze it and detect it effectively. Our plan is to make our engine available to the community via open source during Black Hat USA 2022, to help give back to the infosec community and help Blue Teams save time on an ongoing and difficult problem.

Breaking the Chrome Sandbox with Mojo

Stephen Röttger | Software Engineer, Google

Date: Wednesday, August 10 | 4:20pm-5:00pm ( Mandalay Bay GH (Level 2) )

Format: 40-Minute Briefings

Track: Exploit Development

If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight sandbox. Access to OS resources like the file system are greatly restricted and site isolation still enforces the web security guarantees. To allow such strong restrictions, various IPC services provide required functionality to the renderer process which themselves can become a target for sandbox escapes.

In this talk, we will take a look at Mojo, the IPC framework in Chrome. I will explain the protocol’s inner workings using three logic bugs as examples. Finally, we’re going to write a reliable exploit for a seemingly impossible race condition.

UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice

Andrea Palanca | Security Researcher, Nozomi Networks
Luca Cremona | Security Researcher, Nozomi Networks
Roya Gordon | Security Research Evangelist, Nozomi Networks

Date: Wednesday, August 10 | 4:20pm-5:00pm ( Islander EI (Level 1) )

Format: 40-Minute Briefings

Tracks: Cyber-Physical Systems, Network Security

Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025. Among its current applications, off-the-shelf Real Time Locating Systems (RTLS) employ UWB to provide localization solutions for a wide set of use cases (i.e., medical patients location tracking, safety geofencing, asset monitoring, contact tracing, etc.).

The security of UWB wireless communications has recently been strengthened by the Institute of Electrical and Electronic Engineers (IEEE) 802.15.4z amendment. However, critical phases of the RTLS process are handled by obscure network protocols that are not regulated by standards, leaving the responsibility for their design and implementation to the vendors.

In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a security assessment of two popular UWB RTLS solutions available on the market. Our research reveals 0-day vulnerabilities and other weaknesses that, if exploited, could allow an attacker to gain full access to all sensitive location data exchanged over-the-air.

In this presentation, we will demonstrate how an attacker may exploit RTLS to locate and target people, hinder safety geofencing rules, and interfere with contact tracing, as well as present key actions to help mitigate these weaknesses to secure UWB RTLS from potential cyber attacks.

Process Injection: Breaking All macOS Security Layers With a Single Vulnerability

Thijs Alkemade | Security Researcher, Computest

Date: Thursday, August 11 | 10:20am-11:00am ( South Seas CD (Level 3) )

Format: 40-Minute Briefings

Tracks: Cloud & Platform Security, Application Security

macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access data and features. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user’s most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model, introducing new vulnerabilities such as process injection.

CVE-2021–30873 is a process injection vulnerability we reported to Apple that affected all macOS applications. This was addressed in the macOS Monterey update from October 2021, but completely fixing this vulnerability requires changes to all third-party applications as well. Apple has even changed the template for new applications in Xcode to assist developers with this.

In this talk, we’ll explain what a process injection vulnerability is and why it can have a critical impact on macOS. Then, we’ll explain the details of this vulnerability, including the techniques we developed to exploit insecure deserialization in macOS. Finally, we will explain how we exploited it to escape the macOS sandbox, elevate our privileges to root and bypass SIP.

From Hackathon to Hacked: Web3’s Security Journey

Nathan Hamiel | Senior Director of Research, Kudelski Security

Date: Thursday, August 11 | 11:20am-12:00pm ( South Pacific F (Level 0 — North Convention Center) )

Format: 40-Minute Briefings

Track: Application Security

If there’s one prediction you can make with certainty, it’s that security in the Web3/blockchain space will get a whole lot worse before it gets better. We have the perfect cocktail of inexperience mixed with emerging technology playing out in full public view with large sums at stake and the permanence of immutable transactions. The result is predictable. An environment free from constraints can seem like an innovation paradise, but when the stakes are so high, you have to get everything right the first time because there may not be a next time. We tend to forget that what we see from this space are experiments playing out in production, and the time between exploitation and losing millions of dollars worth of value can be measured in seconds. So, how did we get here? Is it all doom and gloom? What can be done?

This talk is a grounded look at the factors contributing to the security failures we’ve witnessed, free from the hype and hatred associated with the space. We look at the similarities and differences between the development of this new technology and more traditional applications and how some of the attacks manifested. Better testing and tools aren’t enough to solve the problem. We discuss actionable steps projects and chains can use today to address these issues and make the ecosystem safer for projects and users.

XMPP Stanza Smuggling or How I Hacked Zoom

Ivan Fratric | Security Researcher, Google Project Zero

Date: Thursday, August 11 | 11:20am-12:00pm ( South Seas AB (Level 3) )

Format: 40-Minute Briefings

Tracks: Enterprise Security, Exploit Development

XMPP is a popular instant messaging protocol based on XML that is used in messengers, online games and other applications.

This talk will introduce a new way of attacking XMPP client software: XMPP stanza smuggling. More specifically, it will show how seemingly subtle quirks in XML parsing can be exploited to “smuggle” attacker-controlled XMPP control messages to the victim client and how the design of the XMPP protocol makes it especially susceptible to such issues. It will be demonstrated how such issues led to 0-click remote code execution in the Zoom client.

While Zoom is used as an example throughout the talk and to demonstrate the maximum impact achievable, the XMPP bugs presented are not specific to Zoom.

The Battle Against the Billion-Scale Internet Underground Industry: Advertising Fraud Detection and Defense

Zheng Huang | Chief Architect of Security Department, Baidu
Shupeng Gao | Senior Security Researcher, Baidu
Yakun Zhang | Senior Security Researcher, Baidu
Hai Yang | Senior Security Researcher, Baidu
Jie Gao | Senior Security Researcher, Baidu

Date: Thursday, August 11 | 1:30pm-2:10pm ( Jasmine (Level 3) )

Format: 40-Minute Briefings

Tracks: Defense, Human Factors

Advertising is the main profit model of internet companies; the annual industry scale of global internet advertising has reached hundreds of billions of dollars. In fact, internet advertising fraud and anti-fraud may be a war that will never end. In the past few years, we have traced and catched hundreds of internet underground industry practitioners, and we have seen the escalation and evolution of technological confrontation.

In this talk, we will select some typical and large-scale internet underground industry gangs and do an in-depth analysis.

-Gang 1: An ultra-large-scale advertising fraud group that infected 350 million mobile phones through the mobile big data analysis SDK. They have existed for five years, involving multiple listed companies, and their fraud targets include some global advertising giants, all mobile advertising platforms and all search engines in China.

-Gang 2: PC application bundled software exposed at China Central Television (CCTV) Consumer Rights Protection 315 Gala in 2022. They infected millions of computers and planted extension backdoors into browsers. Their fraud targets include all online shopping sites, social networking sites and advertising platforms in China. They defraud the advertising channel for profit, and secretly add fans to the “We media”.

-Gang 3: Malicious click tools for vicious competition among advertisers. They generate harassment and invalid clicks on advertisers which leads discourage investment.

For the above-mentioned advertising fraud gangs, we will summarize the key technologies used by them, conduct a crowd analysis on the internet underground industry practitioners, and classify them into high-end and low-end gangs. High-end internet underground industry gangs can use the upstream and downstream channel resources of the Internet industry, they can quickly infect a large number of devices, profit from invisible advertising shows and simulated clicks on the mobile phones, and tamper with the browser traffic and simulate user clicks on the PC side by using browser plug-in backdoors. Low-end internet underground industry gangs use “YI language”(易语言) and a series of browser libraries can quickly build hacking tools and sales at a low price, which can also lead to a very bad impact.

In order to perception and trace these gangs, we have developed the Heracles project, which uses a new device fingerprint generation technology and side-channel detection to identify mainstream hacking tools, such as headless browsers (puppeteer, minibrowser, etc), “mobile key press genie”(按键精灵), and “cloud phones”. We also use javascript runtime and jsbridges hooks in the browser engine, CROS features and other new technologies to detect simulated clicks on mobile advertisements and browser extension hijacking. These technologies are the keys to trace and combat the internet underground industry chain, and significantly reduce advertising fraud risk.

Previously, we were a browser and operating system security research team, we have obtained hundreds of CVEs. We will introduce how security researchers contribute to anti fraud. Many undisclosed methods will be proposed to trace and catch internet underground industry practitioners in this talk, we believe that many companies and anti-fraud practitioners will benefit from it.

Another Way to Talk with Browser: Exploiting Chrome at Network Layer

Rong Jian | Security Researcher, 360 Vulnerability Research Institute
Guang Gong | Tech Leader, 360 Vulnerability Research Institute

Date: Thursday, August 11 | 2:30pm-3:00pm ( Jasmine (Level 3) )

Format: 30-Minute Briefings

Track: Exploit Development

Networking is a critical and complex task for browsers. It ranges from high level JavaScript APIs, all the way down to managing every socket connection. Services on remote servers can control every single byte sent to the browser during communication, which might lead to memory safety issues when the browser parses the inputs. But apart from these security issues due to data processing, are there other logic bugs from a higher-level view? Can this type of bug be exploited and how?

In this presentation, we will show how we discovered several bugs in the Chrome network stack and exploited them to compromise the renderer process and escaped the Chrome sandbox. We will discuss the design problems of resource fetching/caching and one of the transport layer protocols embedded in Chrome. We will illustrate how server-side responses can affect browser behavior, which results in security bugs. Finally, we will detail the exploit strategy of these bugs which we used to win the Chrome category in the Tianfu Cup 2021 Cybersecurity Contest.

DirectX: The New Hyper-V Attack Surface

Zhenhao Hong | Security Specialist, Ant Group Light-Year Security Lab
Ziming Zhang | Senior Security Engineer, Ant Security Light-Year Lab

Date: Thursday, August 11 | 2:30pm-3:00pm ( Lagoon KL (Level 2) )

Format: 30-Minute Briefings

Tracks: Reverse Engineering, Cloud & Platform Security

In 2020, Hyper-V introduced a new feature of GPU-Paravirtualization, which is based on GPU virtualization technology. This technology is integrated into WDDM (Windows Display Driver Model) and all WDDMv2.5 or later drivers have native support for GPU virtualization. However, new features mean new attack surfaces.

In this talk, I will disclose 4 vulnerabilities of Hyper-V DirectX component that I found and have been fixed so far. Two of these vulnerabilities could allow an attacker to run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

To understand these vulnerabilities, I will first introduce the basic architecture of the Hyper-V DirectX component, and explain how to configure the virtual machine parameters to implement the method of using this virtual device in a virtual machine. By referring to the WSL Linux kernel source code and reverse engineering, I will introduce the attack surface of the Hyper-V DirectX component. By disclosing 4 vulnerabilities in Hyper-V DirectX component, you will gain a better understanding of this attack surface. Later, I will describe how to use fuzz to find vulnerabilities in this attack surface. Here, I will use a simple fuzz framework written by myself as a learning case. Finally, I’ll share takeaways and my opinions on this attack surface, as well as speculation on the future development of Hyper-V DirectX component.

Don’t Get Owned by Your Dependencies: How Firefox Uses In-process Sandboxing To Protect Itself From Exploitable Libraries (And You Can Too!)

Shravan Narayan | PhD Student, UC San Diego
Tal Garfinkel | Research Scientist, UC San Diego
Deian Stefan | Professor, UC San Diego

Date: Thursday, August 11 | 2:30pm-3:00pm ( South Seas CD (Level 3) )

Format: 30-Minute Briefings

Tracks: Defense, Application Security

Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks in today’s applications. Several years ago, our team began exploring a new approach to mitigating these attacks in Firefox, which relies on third party libraries for everything from media rendering to spell checking.

To accomplish this, we began migrating Firefox to an architecture where third party C libraries are run in lightweight in-memory sandboxes (based on WebAssembly). Firefox has been shipping with this new architecture since 2020.

We will explore a variety of hard questions we encountered when bringing this approach to Firefox: How do we ensure sandboxing is efficient enough that we don’t have to significantly change or re-architect existing code? How can we retrofit sandboxing without changing libraries? How do we ensure that our application (Firefox), which was written to trust libraries, cannot be exploited when a malicious (but sandboxed) library attacks.

We will talk about a new language level framework (RLBox) we developed to meet these challenges. RLBox exploits the language level type system to (1) track inputs from untrusted libraries to ensure they are properly sanitized before use, (2) automatically reconciles ABI differences between WebAssembly and application code (3) automate and assist with the process of migrating existing code to use untrusted libraries.

We will share some examples of our own experience applying RLBox in Firefox, and briefly explore the performance impact of sandboxing. RLBox and its related tools are fully open source and available to participants. We will explore how participants can apply our tools to their own projects.

Human or Not: Can You Really Detect the Fake Voices?

Xin Liu | Security Researcher, Lanzhou University
Yuan Tan | Security Researcher, Lanzhou University
Rui Chong | CTO, Beijing Zhongxin Xingkong Network Technology Co
Xiaokang Zhou | Professor, Shiga University
Mingyuan Zhang | ML Researcher, University of Pennsylvania
Qingguo Zhou | Professor, Lanzhou University

Date: Thursday, August 11 | 3:20pm-4:00pm ( Jasmine (Level 3) )

Format: 40-Minute Briefings

Tracks: AI, ML, & Data Science, Defense

Voice is an essential medium for humans to transfer information and build trust, and the trustworthiness of voice is of great importance to humans. With the development of deep learning technologies, attackers have started to use AI techniques to synthesize and even clone human voices. To combat the misuse of such techniques, researchers have proposed a series of AI-synthesized speech detection approaches and achieved very promising detection results in laboratory environments. Can these approaches really be as effective in the real world as they claim to be? This study provides an in-depth analysis of these works, identifies a set of potential problems, and designs a novel voice clone attack framework, SiF-DeepVC, based on these problems. This study first proposes the idea “bypass fake voice detection using speaker-irrelative features” and proves that detecting AI-synthesized speeches is still highly challenging, and existing approaches are not applicable in the real world. In a word, the Red is still far ahead of the Blue.

Locknote: Conclusions and Key Takeaways from Black Hat USA 2022

Jeff Moss | Former Chief Security Officer and VP at ICANN, Founder of Black Hat and DEF CON Conferences, U.S. Department of Homeland Security Advisory Council
Justine Bone | CEO, Medsec
Chris Eng | Chief Research Officer, Veracode
Natalie Silvanovich | Team Lead & Security Engineer, Google
Matt Suiche | Director for Memory & Incident Response R&D, Magnet Forensics

Date: Thursday, August 11 | 4:20pm-5:00pm ( Mandalay Bay GH (Level 2) )

Format: 40-Minute Briefings

Tracks: Keynote, Lessons Learned

To close out Black Hat USA 2022, join Black Hat Founder Jeff Moss and Review Board members Sheila A. Berta, Chris Eng, Natalie Silvanovich and Matt Suiche for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of the conference and how these trends will impact future InfoSec strategies.



DCG 201

North East New Jersey DEFCON Group Chapter. Dirty Jersey Represent! We meet at Sub Culture once a month to hack on technology projects!