#RomHack2021 Speakers & Talks

This is not your average keynote.
Instead of talking buzzwords, I will be dissecting a particularly challenging memory corruption exploit I wrote last year.
In a web's world, a binary exploitation talk should be considered weird enough... But no! On top of that, this specific vulnerability is a format string bug, exploited on an obscure architecture.
I hope you will enjoy my last Solaris talk

---

whois Marco

Marco Ivaldi is a seasoned cybersecurity researcher and tech leader.
He works as Technical Director at HN Security, a startup he co-founded that provides tailored offensive security services.
As a member of the ISECOM Core Team, he is involved in the development of the Open Source Security Testing Methodology Manual (OSSTMM), the international standard for performing security testing.
Marco is also a prolific exploit writer and polyglot programmer of weird machines. Back in the 90s, he co-founded Linux&C, the first Italian magazine about Linux and open source.
His homepage and playground is 0xdeadbeef.info

[ Agenda | Top ]

In this talk, I will cover the more interesting bits of the research that I've carried out on Apache HTTP server's security. I will walk you through the entire review process, including fuzzing, static analysis, and variant analysis.

I will also show several vulnerabilities I discovered in Apache HTTP server and how they could be exploited. Highlights of found vulnerabilities include UAFs, race conditions and heap overflows.

It’s important to note that these vulnerabilities were recently discovered and they are currently in the process of being reported. Thus, some of these vulnerabilities will be publicly presented for the first time at this talk.

---

whois Antonio

Antonio Morales works as a security researcher at GitHub Security Lab, whose primary mission is to help improve Open Source project's security.
Antonio's interests include fuzzing, code analysis, exploit development, and C/C++ security.

[ Agenda | Top ]

Traditionally, the OWASP ModSecurity Core Rule Set, an OWASP flagship project, has been hard to use.
However, the release of CRS 3.0 in 2017 and the advancements made up to CRS 3.4 successfully removed most of the false positives in the default installation. This improved the user experience when running ModSecurity / CRS - the only general purpose open source web application firewall.

The presentation explains how to run CRS successfully in high security settings. This includes practical advice to tuning, working with the anomaly thresholds, the paranoia levels and complementary whitelisting rule sets. This talk is based on many years of experience gained by using CRS in various high security settings, including the one by Swiss Post for it's national online voting service.

---

whois Christian

Christian Folini is a Swiss security engineer and open source enthusiast of distant Italian decent. He holds a PhD in medieval history and enjoys defending castles across Europe.
Unfortunately, defending medieval castles is not a big business anymore and so he turned to defending web servers, which he finds equally challenging. He brings more than ten years of experience with ModSecurity configuration in high security environments, DDoS defense and threat modeling.

Christian Folini is the author of the second edition of the ModSecurity Handbook and the best known teacher on the subject. He co-leads the OWASP ModSecurity Core Rule Set project and serves as the program chair of the "Swiss Cyber Storm" conference.
In 2020, the Swiss government invited him to moderate a dialogue with 25 scientists on the questions of online voting security.
Christian Folini is a frequent speaker at conferences, where he tries to use his background in the humanities to explain hardcore technical topics to audiences of different backgrounds.

[ Agenda | Top ]

How much trust is zero trust anyway? As more security controls are added to protect cloud accounts, much of that trust ends up on a users endpoint, where long-term credentials are stored which comply with strict security policies, such as Multi Factor Authentication and device compliancy.

To secure these credentials, hardware protection with a Trusted Platform Module is used where possible.
But how effective are these security controls? I have been researching Azure AD device security for the past year and have broken quite some security controls I encountered.

In this talk I'll demonstrate how and what the consequences of these attacks are.

---

whois Dirk-jan

Dirk-jan is a red teamer and researcher of Active Directory and Azure AD at Fox-IT.
Amongst the open-source tools published to advance the state of (Azure) AD research are aclpwn, krbrelayx, mitm6 and the Azure AD ROADtools framework. He blogs at dirkjanm.io, where he publishes about new Active Directory attack chains, which included the discovery of the PrivExchange vulnerability.
He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat and was part of the MSRC most valuable researchers 2018 to 2020 through his Azure AD research.

[ Agenda | Top ]

Supply chain security has been a much discussed topic as of late, with many high profile attacks making mainstream news and a recent executive order signed off by the US president.
For this talk, Luke Hinds, a security engineering lead from Red Hat's office of the CTO, will delve into some recent attacks and then introduce project sigstore, a software signing service due to launch this year under the Linux Foundation.
Luke will provide a demo of sigstore's signing infrastructure and demonstrate how it protects the software supply chain.

---

whois Luke

Luke Hinds is the security engineering lead in Red Hats office of the CTO.
He has a 20 year career in security software development in open source communities. He is the founder of sigstore.dev / keylime.dev and is a member of the Kubernetes Security Response team where he manages the bug bounty program.
He is a very approachable individual who loves to talk to experts or beginners alike.

[ Agenda | Top ]

This presentation is intended to demonstrate that sophisticated attacks, such as Stuxnet or Triton, could be still carried out against other ICS manufacturers and devices.
By relying on our own CVEs, we will explain how to exploit them to reproduce the key stages of a new Stuxnet with the ability to execute unconstrained code on PLCs.

In this context, the first three vulnerabilities are used to perform a Remote Code Execution from an IT access to the engineering station through the PLC simulator.
From this station, the fourth vulnerability is intended to abuse a shared memory to gain SYSTEM rights. Finally, the fifth vulnerability allows us to execute unconstrained code on PLCs. Also for automating our attack, we used intrinsic functionalities (COM/DCOM) offered by the main software.

---

whois Nicolas

Nicolas Delhaye is a security researcher who has over 10 years of experience in reverse-engineering and vulnerability research. His work involves performing deep-dive analysis and looking for unknown vulnerabilities on Windows components.

He had previously found weaknesses such as the SMBLost vulnerability or a RPC trick for remotely enumerating every Windows network interfaces without any authentication.

Lately, he presented at Rump’in Rennes 2019 and GreHack 2020.

---

whois Flavian

Flavian Dola is a vulnerability researcher of Airbus CyberSecurity specialized on embedded systems (IoT, ICS, On Board components, etc.). His field of expertise lies on the areas of reverse engineering, fuzzing and exploit development.

His works around Stuxnet-type attack were greeted by the ICS security community and press.

He is the creator of:
- IP2LoRa: an opensource software to acheive IP tunneling over LoRa
- afl_ghidra_emu: an opensource software that allows to fuzz exotic architecture using AFL++ and Ghidra emulation engine

Lately, he was a speaker at some conferences such as Rump'in Rennes 2019, GreHack 2020 and SSTIC rumps 2021.

[ Agenda | Top ]