The same procedure as every year
In the last 10 years I visited the chaos communication congress 9 times (at the beginning of my first talk I wrongly stated that it was my 10th visit in 11 years, I stand corrected) and year after year my friends and I had an awesome time. After missing the 29c3 in 2012 due to having recently immigrated in the US I really wanted to go to the 30c3. These hacker congresses are an awesome opportunity for researchers to synchronize with other hackers and to exchange and discuss new ideas for future projects. I also enjoy syncing up with all my friends that I happen to meet at the c3 between x-mas and new year's eve.
Getting there and exploring the new location
As I was already in Europe to visit family over x-mas getting there was fairly easy with just one short direct flight of about an hour. Hamburg is a great and location and the airport is just a short train ride from the city center (almost comparable to Zurich). The chaos communication congress moved from the BCC (Berlin Congress Center) in Berlin to the CCH (Congress Center Hamburg) in Hamburg in 2012 and this was the second time at the newer, bigger location that would not be too small or two crowded for the next several years. First of all, the location is much bigger and many things changed compared to the BCC. It is no longer a cozy, familiar atmosphere like in the old days of the 21c3 or so. There are roughly 10k hackers, nerds, journalists, and other agents walking around and if you don't know people already it is kind of hard getting to know them. Comparable to defcon the 30c3 has become more of a privileged event with different classes and due to the sheer size you tend to stick to the people you already know. I still met a bunch of new people and I also tried to get to know a bunch of other random people as well but I felt that it was getting harder.
Regarding the new location I must say that I like the CCH. It took me the better part of the first day to find my bearings but navigation was smooth afterwards (i.e., I could just follow the tubes for the Seidenstrasse project, a large, ad hoc pneumatic delivery system). Maybe for future events the c3 organizers should add (more) routing signs for newcomers, especially if it gets even more crowded.
In this section I want to highlight a bunch of technical talks I watched during the 30c3. There were way too many good talks to list all of them here and there is not enough space to write about all of them in detail. My intention is to encourage you to follow the links and to watch the talks as well. The talks are rated from 1 (bad, don't watch) to 10 (awesome, you have to watch this immediately). My talks are marked ?; obviously my opinion is that they are great but I'll let you judge them for yourself.
In this talk, Stefan gives us a quick and dirty overview of different firmware analysis tools and individual steps needed to recover, analyze, and disassemble firmware of an unknown device.
Symbolic execution is a great tool that can be used to help a programmer find some input that will trigger a well defined condition inside a binary program. In this talk we learn the concepts of symbolic execution, potential use cases, and how far we can scale symbolic execution (i.e., for what tasks it is feasible).
Another iteration of the security in mobile networks topic by Karsten and Luca. The talk was entertaining and interesting while they did not present too many new things.
Andreas fights for memory safety guarantees for low level languages. He took some time to tell us about all the possible memory corruption vulnerabilities that exist in low level code and advocates to use compiler extensions like SoftBound+CETS that enforce (some form of) memory safety for C and C++. Currently he is working on porting FreeBSD (and SoftBound+CETS) to offer a safe version of the FreeBSD distribution where memory corruption is no longer possible. Unfortunately, this will cost some runtime performance and while he was not explicit about the overhead, the original papers mention up to 300% runtime overhead.
Baseband chips and operating systems changed a lot in recent years. Most new mobiles and smart phones produced in recent years run on Qualcomm chips. Exploitation of these systems got much harder due to additional security hardening of the operating system and a change of the CPU architecture. This talk explains how we can still hack these systems.
I must say I love Sergey's talks (especially the ones at the c3), they are always fun, usually go several layers down into the system architecture, and I always learn something new. This time Sergey and his companions talked about Turing complete computation using only ELF relocations. Using different forms of relocations you can force the standard loader to rewrite partial relocation entries and force additional relocations ending up in Turing complete modifications of the program during the loading process (i.e., after verification but before the first instruction of the application is executed).
Nice overview talk about reverse engineering and attacking integrated circuits from the backside. Instead of going down from the top (facing potential reverse engineering counter measures) one can start from the bottom and go up the layers. This talk gives an introduction into this reverse engineering process.
SCADA is still bad, m'kay. New examples of how bad SCADA systems are in the real world, including some details on SCADA systems that are connected to the internet and are openly accessible.
Android reverse engineering is a potentially hard problem due to the mix of native code and Dalvik bytecode. This talk presents an approach to instrument the Dalvik part of an Android application with some additional features. In the talk Collin gives some nice examples on how to circumvent in-store purchases resulting in free stuff.
In the beginning malware executed on the same privilege level as the anti-malware software. Over time, the anti-malware software tried to move up on the levels of abstraction (and privileges) to keep control even if the malware was able to successfully gain control of one privilege level. In this talk we learn that malware may move up to the hardware level, circumventing all possible protection mechanisms.
In my second talk I discuss memory safety violations in general and memory corruption vulnerabilities in particular. At the core, memory safety violations are the cause for many of the exploitable bugs in programs written in low level languages like C or C++. In the talk we discuss a model on what kind of capabilities an attacker needs to execute a control flow hijack attack (starting with the initial memory safety violation). In the later part we discuss different strategies that would stop the attack from succeeding, why current defense mechanisms are not sufficient, and what the future will bring us.
Going down the ISA rabbit hole. Gal lectures about low level security implications that virtualization will bring us and what kind of pitfalls we face when using different virtualization technologies. Hardcore talk with lots of low-level details.
I wondered for a long time if I should order this talk under the political/social talks or under the technical talks. FX delivers a great rant about lawful interception, how governmental tracking works, and what we might be able to do about it. Not his best talk but greatly entertaining.
Talks I have not watched yet
Due to the tight schedule this year I missed way too many great talks. Luckily all the talks were recorded and will be made available in the next couple of days (so expect a follow up blog post on other watchful talks).
- A (short) list of the many talks I want to watch in the next weeks include:
- The Year in Crypto: Nadia Heninger, djb, Tanja Lange
- Hardware Attacks, Advanced ARM Exploitation, and Android Hacking: Stephen A. Ridley
- Fast Internet-wide Scanning and its Security Applications: J. Alex Halderman
- Security Nightmares: frank, Ron
- and probably all other technical talks in due time.