Talks
FloatZone: how Floating Point Additions can Detect Memory Errors
Floris Gorter
Memory sanitizers are powerful tools to detect spatial and temporal memory errors, such as buffer overflows
and use-after-frees. Fuzzers and software testers often rely on these tools to discover the presence of bugs.
Sanitizers, however, struggle with high runtime overhead as a result of having to perform expensive checks to
validate memory accesses. These checks involve at least a memory lookup, a comparison, and a conditional
branch instruction.
In this talk, we introduce FloatZone, a compiler-based sanitizer to detect spatial and temporal memory errors
in C/C++ programs using lightweight checks that leverage the Floating PointUnit (FPU). With FloatZone, we show
that the combined effects of “lookup, compare, and branch” can be achieved with a single floating point
addition that triggers an underflow exception in the case of a memory violation.
This novel method to detect illegal accesses greatly improves performance by avoiding the drawbacks of
traditional comparisons: it prevents branch mispredictions, enables higher instruction-level parallelism due
to offloading to the FPU, and also reduces the cache miss rate due to the lack of shadow memory.
Attacks and New Developments in Isogeny-based Cryptography
Luciano Maino
Recent advancements in quantum computing are undermining the security of the current public-key
infrastructure. In response to this threat, a new branch of cryptography, called post-quantum cryptography,
has appeared. Post-quantum cryptography aims at having cryptosystems that not only can run on ordinary laptops
but are also resistant to the quantum threat.
Some of the solutions suggested so far rely on isogenies. Isogenies are special maps between elliptic curves.
Arguably, the most influential cryptosystem in this field is Supersingular Isogeny Diffie-Hellman (SIDH).
In this talk, I will narrate the bitter-sweet story of SIDH: from being a candidate in the NIST Post-Quantum
standardisation process to its recent break. Then, I will explain how to make the most out of a broken scheme
and how attacks can become so efficient to be the main building blocks for new cryptosystems.
Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities
Marco Squarcina
Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these
issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably,
the updated cookie standard RFC6265bis improved the Secure attribute and introduced cookie prefixes to
strengthen cookie integrity against network and same-site attackers, whereas the SameSite attribute has been
touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for
CSRF in the synchronizer token pattern variant.
In this talk, we will focus on real-world security implications of cookie integrity issues and show how
security mechanisms previously considered robust can be bypassed, exposing Web applications to session
integrity attacks such as session fixation and cross-origin request forgery (CORF). Our research contributed
to updates to the cookies standard, 12 CVEs, and 30 vulnerability disclosures affecting browsers (Firefox and
Chrome), major Web development frameworks (Express, lask, Symfony, Fastify, etc.), and server-side programming
languages and middlewares (PHP, Werkzeug). We will show how these vulnerabilities can be exploited by
introducing novel cookie tossing techniques, and present our new CORF token fixation attack, which bypasses
common implementations of the synchronizer token pattern CSRF protection mechanism. We will conclude by
discussing the mitigations adopted after our coordinated disclosure with the affected vendors.
Rowhammer has been a busy field in system security research since its discovery in 2014.
Until the current day, it remains the most prevalent fault injection attack on modern computing platforms.
In this talk, we explore Rowhammer in three chapters:
Exploration:
Our first part investigates the intricate process of reliably triggering Rowhammer bitflips.
We explore manual and fuzzing-based techniques that maximize the number of bitflips for different DRAM
architectures.
In addition, we present our most recent research on the transferability of bitflips and the evaluation of
Rowhammer fuzzers.
Exploitation:
The second part of our presentation shows a broad range of Rowhammer exploitation techniques.
We analyze existing exploits on various targets ranging from virtual machines to cryptographic algorithms to
neural networks, demonstrating the capabilities and limitations of Rowhammer as an attack vector.
Our talk discusses rapid prototyping techniques for crafting novel exploits and even introduces the concept of
simulating Rowhammer exploits as presented by our research.
Fixing Rowhammer:
Finally, we give an overview of solutions that mitigate the Rowhammer vulnerability.
We discuss proposed and implemented solutions on both the hardware and software levels, examining the
effectiveness of various mitigation techniques.
We evaluate the trade-offs and challenges of mitigating Rowhammer and discuss the ongoing efforts to secure
systems against this threat.
PyJails in the Wild: Bringing CTF Challenges to the Real World
Chih-Jen Huang
CTF (Capture The Flag) is often criticized as having no practical application. However, we believe that the
skills and techniques learned in CTF competitions can, in fact, play a critical role in real-world software
security. In this presentation, we will introduce several real-world PyJail cases that we've discovered. In
CTF, PyJail refers to a restricted Python environment, and participants aim to bypass these restrictions to
obtain a "flag." Similar scenarios exist in the real world.
We will categorize the PyJail cases we encounter into two major types. The first is the "code execution jail,"
where users can provide code, but it runs in a restricted environment to prevent abuse of malicious code. The
second type is the "deserialization jail." In some Python serialization formats, deserialization may involve
specific operational behaviors, and we need to execute arbitrary code or perform other dangerous actions
within limited operations.
We will delve deep into these implementation types and share the real-world cases we've found, as well as how
we successfully bypassed these restrictions. This presentation will help participants better understand how
CTF techniques can translate into practical software security practices in the real world.
VirtualBox is collapsing: a n-day story
Luca Ginex
Hypervisors are an important piece of technology in today's world: from cloud infrastructures, run by Hyper-V
(Azure), Amazon Firecracker-KVM (AWS), to operating systems security (Virtualization-Based Security). The more
this technology is used to enforce security boundaries between different components, the more its security is
important. In this talk I am going to walk you through the exploit development process for a vulnerability in
VirtualBox, which will lead to privilege escalation to host os ring 3. The first part of the talk is an
introduction to the fundamentals of devices emulation, which will be later used to explain the vulnerability.