In 2017, the discovery of Spectre and Meltdown kicked off a whirlwind of attention and spawned a new research topic on "transient execution attacks". Now, 8 years, and many new attacks and mitigations, later, most of the microarchitectural dust has settled. While still keeping a few research groups around the globe busy, many people in the field, including top-notch security experts from industry, question the threat these attacks pose in real-world scenarios.
We, as microarchitectural security researchers, always find it funny when people ask questions like: "Does Spectre actually work?", "Are those attacks real?", "Doesn't that only work in a lab setting?". Funny, but also worrying, as we know the risks. The goal of this project was to convince (many of) these people that Spectre & friends *do* pose serious and realistic threats. In particular: we show they can enable a malicious public cloud user to find and leak highly sensitive private data from other customers (without even knowing them a priori).
To be as real-world as we could be, we performed these attacks on the production clouds of AWS and Google Cloud, using their standard public interfaces to spawn VMs. By combining the two (old, and —supposedly— mitigated) transient execution vulnerabilities called "L1TF" and "Half-Spectre", we build an arbitrary read-primitive into the host's virtual address space. On Google Cloud, this led us to be able to (1) discover co-located victim VMs, (2) list their processes, and, as an example (3) leak the private TLS key of an nginx webserver — reliably, even under extreme system noise, with perfect accuracy, within hours.
Talks
Vibe coding has a time and a place: it is great for making quick prototypes, and is very tempting for less technical folks. However, those who don’t understand their own code will be blissfully unaware of the many security vulnerabilities that AI assistants can introduce. In this presentation, I will cover a variety of common vulnerabilities that can be introduced from vibe coding, and then how to recognize and fix them. I will also cover how to prompt genAI tools to code more securely and help you review your code, as well as how to take a hybrid approach with AI-advised coding. This is a crucial topic for anyone venturing into vibe coding, as well as any team leads who are starting to see AI-generated code introduced by more junior members.
A punk journey in a home-made reversing engineering project to hack an NFC tag for ̶p̶r̶o̶f̶i̶t̶ ̶a̶n̶d̶ ̶f̶u̶n̶ free drinks (and fun, it's always about fun). Reversing a Hermes-encoded Android bundle to understand how an NFC tag (NXP NTAG 21X) works and how to exploit it.
-
Anti-Cheat fundamentals
- Basics about Anti-Cheat software
- Current state of popular commercial solutions
- Brief description (with real examples) of techniques they actually use in production
-
Technical foundations
- Basics of Windows kernel reverse engineering
- Hypervisors and how they fit into this picture
- Useful notions to hide from and attack a kernel surveillance system (such as an Anti-Cheat would be)
-
Real-world scenarios
- A couple real examples of how an interaction between a cheater and an anti-cheat engineer would unfold in reality
- What the strategy from each side would be to win the "rat race"
- A series of short recorded demos or screenshots for some of the described techniques
-
Beyond gaming: other applications
- DRM copyright protection bypasses
- Analyzing targets that definetely do not want to be analyzed
- Fuzzing black box targets that employ strong anti-tampering measures
Can you make solving CTFs your day job? In this talk, we will discuss the parallels between cryptography CTF challenges and the work I do as a cryptography consultant with NCC Group. The focus of the talk will be giving context about what the work we do day to day looks like with several examples of real world bugs typically found during engagements.
While hunting for vulnerabilities on an IoT device, we needed shell access to make reverse engineering easier. At first, we were able to get logs over a serial console; however, once Linux started, the system went completely silent, with no obvious explanation. What initially looked like a straightforward debugging setup quickly turned into a deeper investigation into why the console stopped working after boot.
This talk describes how we approached the problem and ultimately restored a fully working serial console through some good old trial and error. By walking through the steps we took and the obstacles we encountered, we aim to share practical ideas that may help others who run into similar issues when analyzing embedded devices.
Users interact with mobile devices under the assumption that the graphical user interface accurately reflects their actions, a trust fundamental to the user experience. Threat actors have long sought to undermine this relationship through tapjacking, a technique where malicious overlays are used to trick users into performing unintended actions, such as authorizing financial transactions or granting sensitive permissions. While Android has responded with increasingly strict mitigations, this cat-and-mouse game is far from over.
In this talk, we revisit the evolution of tapjacking and present TapTrap, a novel attack technique that bypasses modern Android protections. Unlike previous methods that rely on overlays, TapTrap abuses UI animations to circumvent the system’s security model. We demonstrate how a zero-permission app can leverage TapTrap to stealthily bypass the permission system and execute destructive actions. We conclude by demonstrating how TapTrap’s impact extends to the Web ecosystem and enables web clickjacking.
