FloatZone: how Floating Point Additions can Detect Memory Errors Floris Gorter

Memory sanitizers are powerful tools to detect spatial and temporal memory errors, such as buffer overflows and use-after-frees. Fuzzers and software testers often rely on these tools to discover the presence of bugs. Sanitizers, however, struggle with high runtime overhead as a result of having to perform expensive checks to validate memory accesses. These checks involve at least a memory lookup, a comparison, and a conditional branch instruction.
In this talk, we introduce FloatZone, a compiler-based sanitizer to detect spatial and temporal memory errors in C/C++ programs using lightweight checks that leverage the Floating PointUnit (FPU). With FloatZone, we show that the combined effects of “lookup, compare, and branch” can be achieved with a single floating point addition that triggers an underflow exception in the case of a memory violation.
This novel method to detect illegal accesses greatly improves performance by avoiding the drawbacks of traditional comparisons: it prevents branch mispredictions, enables higher instruction-level parallelism due to offloading to the FPU, and also reduces the cache miss rate due to the lack of shadow memory.

Attacks and New Developments in Isogeny-based Cryptography Luciano Maino

Recent advancements in quantum computing are undermining the security of the current public-key infrastructure. In response to this threat, a new branch of cryptography, called post-quantum cryptography, has appeared. Post-quantum cryptography aims at having cryptosystems that not only can run on ordinary laptops but are also resistant to the quantum threat.
Some of the solutions suggested so far rely on isogenies. Isogenies are special maps between elliptic curves. Arguably, the most influential cryptosystem in this field is Supersingular Isogeny Diffie-Hellman (SIDH).
In this talk, I will narrate the bitter-sweet story of SIDH: from being a candidate in the NIST Post-Quantum standardisation process to its recent break. Then, I will explain how to make the most out of a broken scheme and how attacks can become so efficient to be the main building blocks for new cryptosystems.

Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities Marco Squarcina

Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, the updated cookie standard RFC6265bis improved the Secure attribute and introduced cookie prefixes to strengthen cookie integrity against network and same-site attackers, whereas the SameSite attribute has been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token pattern variant.
In this talk, we will focus on real-world security implications of cookie integrity issues and show how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF). Our research contributed to updates to the cookies standard, 12 CVEs, and 30 vulnerability disclosures affecting browsers (Firefox and Chrome), major Web development frameworks (Express, lask, Symfony, Fastify, etc.), and server-side programming languages and middlewares (PHP, Werkzeug). We will show how these vulnerabilities can be exploited by introducing novel cookie tossing techniques, and present our new CORF token fixation attack, which bypasses common implementations of the synchronizer token pattern CSRF protection mechanism. We will conclude by discussing the mitigations adopted after our coordinated disclosure with the affected vendors.

Rowhammer Revisited: From Exploration to Exploitation and Mitigation Lukas Gerlach Daniel Weber

Rowhammer has been a busy field in system security research since its discovery in 2014. Until the current day, it remains the most prevalent fault injection attack on modern computing platforms. In this talk, we explore Rowhammer in three chapters:
Our first part investigates the intricate process of reliably triggering Rowhammer bitflips. We explore manual and fuzzing-based techniques that maximize the number of bitflips for different DRAM architectures. In addition, we present our most recent research on the transferability of bitflips and the evaluation of Rowhammer fuzzers.
The second part of our presentation shows a broad range of Rowhammer exploitation techniques. We analyze existing exploits on various targets ranging from virtual machines to cryptographic algorithms to neural networks, demonstrating the capabilities and limitations of Rowhammer as an attack vector. Our talk discusses rapid prototyping techniques for crafting novel exploits and even introduces the concept of simulating Rowhammer exploits as presented by our research.
Fixing Rowhammer:
Finally, we give an overview of solutions that mitigate the Rowhammer vulnerability. We discuss proposed and implemented solutions on both the hardware and software levels, examining the effectiveness of various mitigation techniques. We evaluate the trade-offs and challenges of mitigating Rowhammer and discuss the ongoing efforts to secure systems against this threat.

PyJails in the Wild: Bringing CTF Challenges to the Real World Chih-Jen Huang

CTF (Capture The Flag) is often criticized as having no practical application. However, we believe that the skills and techniques learned in CTF competitions can, in fact, play a critical role in real-world software security. In this presentation, we will introduce several real-world PyJail cases that we've discovered. In CTF, PyJail refers to a restricted Python environment, and participants aim to bypass these restrictions to obtain a "flag." Similar scenarios exist in the real world.
We will categorize the PyJail cases we encounter into two major types. The first is the "code execution jail," where users can provide code, but it runs in a restricted environment to prevent abuse of malicious code. The second type is the "deserialization jail." In some Python serialization formats, deserialization may involve specific operational behaviors, and we need to execute arbitrary code or perform other dangerous actions within limited operations.
We will delve deep into these implementation types and share the real-world cases we've found, as well as how we successfully bypassed these restrictions. This presentation will help participants better understand how CTF techniques can translate into practical software security practices in the real world.

VirtualBox is collapsing: a n-day story Luca Ginex

Hypervisors are an important piece of technology in today's world: from cloud infrastructures, run by Hyper-V (Azure), Amazon Firecracker-KVM (AWS), to operating systems security (Virtualization-Based Security). The more this technology is used to enforce security boundaries between different components, the more its security is important. In this talk I am going to walk you through the exploit development process for a vulnerability in VirtualBox, which will lead to privilege escalation to host os ring 3. The first part of the talk is an introduction to the fundamentals of devices emulation, which will be later used to explain the vulnerability.