28c3 - 28th Chaos Communication Congress & Berlin Sides or a tough week in Berlin


Last week we celebrated that special time of the year again. For me it was the 8th time that we went to the Chaos Communication Congress and the 3rd time that I had a talk. This year we also had tokens for the BerlinSides, a side conference with only technical talks organizes by Aluc.

We carried out the same procedure as every year; Stormbringer and I meet on December 26th around 7pmish at the airport in Zürich for a beer or two. Unfortunately he was late, so I had to drink alone. No harm was done as I still had to finish the slides for my talk. The flight was really smooth and we arrived at 11pm at the hostel. Following our regular procedure we walk right to the bcc to get our badges (and the first couple of beers). A couple of things changed this year, the bcc committee no longer allowed smoking inside the venue so the hack lounge (that was very cozy in the last couple of years with many couches, music, video installations, good wired network connectivity) was replaced by a smoking tent outside of the bcc that had like 1/100 of the style. The hacking area was never as crowded as it was in earlier years and the hackers are moving more and more towards software only. Well, nevertheless we had to try out the lounge/tent on the first day and were thrown out at around 4am. That's one other novelty: for the first time the bcc (or parts of the congress) closed during the night. The following four days went by in a blur. I watched many interesting talks, met many interesting people, had good discussions, had a blast during my talk, and had the one-odd beer or so. I organized the interesting talks into three categories, technical talks, political / social talks, talks that I would have liked to watch. The talks are ordered according to my subjective rating on a scale from 1 to 10.

Technical talks:

String Oriented Programming, Mathias Payer (my talk)

Mathias first gives an overview of all the different attack vectors that are currently used in exploits (code injection, return oriented programming, jump oriented programming, and format string attacks). He then discusses the available defenses on current systems (Data Execution Prevention, Address Space Layout Randomization, and ProPolice). Using a tool that emits specially crafted format strings he presents an attack that can be used to rewrite some static regions of a program (e.g., GOT, or PLT regions of the main executable) into a jump/return oriented interpreter that reuses parts of the application to execute arbitrary code.

Print Me If You Dare, Ang Cui, Jonathan Voris (8)

Ang et al. present an awesome hack how you can upload your own malware to regular HP printers. Current HP printers are connected to the network, have fairly powerful processors, and can be updated (without authentication) over the Internet. The talk includes a live demo. Great presentation!

Datamining for Hackers, Stefan Burschka (7+)

Stefan gave great talk about the potential of datamining and how datamining can be used to exploit and analyze legacy systems. Stefan talks about traffic mining where he exclusively looks at traffic patterns and unencrypted fields in the headers (e.g., length, flags) to infer details of the encrypted connection (e.g., pauses, which party is speaking, and other details). All in all an entertaining talk with medium level of details and verbosity.

802.11 Packets in Packets, Travis Goodspeed (and Sergey Bratus) (7)

Travis and Sergey talk about and introduce probabilistic packet injection. If the wireless signal is congested in one way or another or if there are interferences then the transmission of a packet can be incomplete. The main idea of the hack is that a part of the original (legit) packet is destroyed during the transmission. The data section of the packet now contains a complete inner packet of the same protocol. If the header of the original packet is destroyed then the inner packet is parsed like a regular packet. This hack can be used to inject illegal packets into protected networks (e.g., somebody downloading a large file; some packets are transmitted wrong and are reinterpreted as "attack packets" due to the Trojan horse character of the packets). The idea is really nice, but I doubt that an attacker is able to race a sufficiant amount of times against the (very low) probability that only the header is destroyed and no other parts of the data section that contains the illegal packet. After the talk I actually asked this question and Travis did not really answer it.

Can trains be hacked?, Stefan Katzenbeisser (7)

Interesting talk (in German) about the history of train safety (including infos on signalling, relays, and so on). Stefan includes details on "Stellwerken" as well.

The Atari 2600 Video Computer System: The Ultimate Talk, Sven Oliver ('SvOlli') Moll (6)

Interesting talk bei Sven about all the Atari 2600 internals. Sven was inspired by Michael Steil's talk at 26c3 about the C64 internals (which was an awesome talk as well, go watch the recording!). Sven presents a nice introduction about all the hardware details of the Atari 2600, the development of ROM/RAM boards, and a lot of nitpicking about programming the given hardware.

x86 oddities, corkami (6)

Corkami presents nice subtleties of the x86 machine code. He shows undocumented instructions, especially how these instructions can be used in packers and malware to circumvent debuggers, emulators, and other checking techniques. Very low level talk that assumes a lot of prior knowledge of x86. Overall very interesting, unfortunately there is no recording available.

Reverse Engineering USB Devices, Drew Fisher (6)

Drew is a MsC student at UC Berkeley in Human Interaction. He talks about the USB protocol and how to reverse engineer drivers for new USB hardware.

Introducing Osmo-GMR, Sylvain Munaut (6)

Hacking satellite phones. Sylvain introduces a new feature for the Osmo software stack.

Defending mobile phones, Karsten Nohl, Luca Melette (5)

Karsten and Luca show techniques how to clone existing mobile phones given a regular call that can be eavesdropped. The cloned phones can be used to call premium numbers or to send text messages to premium services. After the motivating example they shows how the attacks that Karsten and co. developed during the last couple of congresses can be mitigated using additional software, additional checks, or new algorithms. Interesting talk, but the "big hack" was missing. They gave a great overview of the available attacks but failed to bring up something new (for this year).

Rootkits in your Web application, Artur Janc (5)  (2nd link)

A regular XSS bug is used in combination with new HTML5 features to implement persistent rootkits in web applications. The combination of persistence and XSS bugs enables rootkits that reinstall themselves even if caches are cleared. Artur also explains how these rootkits can be used to grab information and forge, e.g., baking sites.

New Ways I'm Going to Hack Your Web App, Jesse Ou, Rich (5)

Similar to Rootkits in your Web application. Featuring HTML5, XSS attacks, and other nice technologies.

Cellular protocol stacks for Internet, Harald Welte (5)

Great overview talk of all the wireless protocols used in the last 20 years. If you want to know more about GSM, UMTS, and all the other protocols, then go watch this talk to get some pointers. If you are not interested in an overview, then the talk is just a 1hr show of three letter acronyms.

Time is on my Side, Sebastian Schinzel (5)

Sebastian is a PhD student in Erlangen. He studies side-channel attacks on web pages. The talk introduces timing analysis, how to get exact timing measurments, and how to remove jitter. He talks about different approaches based on TCP/IP how to measure jitter for each packet instead of per connection. If the sever side is stacked (PHP over Apache) then you need domain specific knowledge, you need to know which parts are sent by Apache and when control is passed to PHP. Using this DS knowledge you can reduce the jitter inside the PHP application. The idea is pretty straigth-forward. Do n measurments, do statistic analysis, compare, get hidden data. Talk shows attack on XML RSA encryption using timing attack (based on PKCS#1 decryption and pre-existing attack); combine both techniques to break XML encrypted messages.

Security Log Visualization with a Correlation Engine, Chris Kubecka (5)

Solid talk about how to use correlation engines to analyze log files.

Apple vs. Google Client Platforms, Bruhns, FX of Phenoelit, greg (4)

FX and some guys bash about Apple and Google client platforms. They analyze the hardware platforms of the Google Chromebook (no good exploits found) and the iPad 1 (some possible exploits similar to red snow found, red snow uses a bug in the boot ROM that can not be fixed by Apple). They also found some bugs in the markets of Apple and Google. Both markets are vulnerable to XSS exploits. All in all I expected more of this talk. The presentation was good but FX was overselling the bugs they found and in my opinion there was too much bashing around.

Protecting Software, dosbart (3)

How to protect legacy software from piracy. So-so talk that ended in a long rant against piracy and software cracking.

X(tra|ml|slt|query|dp|mas) pwnage, Nicob (3)

Let's just use XSL bugs to inject new code into a server and let's execute it server side. Nicob includes details on how to transcode procedural-oriented code into functional-oriented code used by XSL. Talk was not that interesting as he presented too many details on how to write code instead of showing individual attacks.

Automatic Algorithm Invention with a GPU, Wes Faler (2)

Wes talks about genetic programming and GPU programming. I was not that interested in the topic of the talk and drifted off pretty soon. In addition I do not believe that genetic programming or some other automatic programming techniques will be able to evolve automatically generated code to very complex/optimized algorithms.


Hacker Jeopardy (9)

Jeapardy game show with hacking questions. Awesome just like every year!

„Die Koalition setzt sich aber aktiv und ernsthaft dafür ein“, maha/Martin Haase (8)

Unfortunately this talk is only available in German. Martin Haase analyzes the talks of politicians and shows the use (and misuse) of language. Interesting and funny as usual.

Fnord-Jahresrückblick, Felix von Leitner, Frank Rieger (8)

The second political talk that is only available in German. Fefe and Frank talk about what happened during the year and give a nice "fnord" review about all the political, social, and other mishaps. Funny and entertaining, although not the best Fnord show ever.

Der Staatstrojaner, 0zapfths, Constanze Kurz, Frank Rieger, Ulf Buermeyer (7)

The third political talk that is only available in German. The group reviews the Trojan horse that was developed by Germany to spy on its people. They analyze both the technical and the political side and give a great review on the development.

The coming war on general computation, Cory Doctorow (6)

Cory discusses the problems with Turing complete CPUs. They can be used to compute anything. Appliances now want to ensure that only specific functionality can be executed on these CPUs. This is hard to enforce.

The Hack will not be televised?, Caspar Clemens Mierau (6)

One of the few talks that was not recorded (due to copyright issues - torrent might be available). Caspar shows different sequences of hacks in movies. He talks about the hacks and how they are shown on the screen. I liked the movie sequences but I do not like his take-outs (e.g., women are not hackers).

"Neue Leichtigkeit", Alex Antener, Amelie Boehm, Andrin Uetz, Jonas Bischof, Ruedi Tobler, Samuel Weniger (6)

Artistic show with lots of booze.

SCADA and PLC Vulnerabilities in Correctional Facilities, Tiffany Rad, Teague Newman, John Strauchs (4) (2nd link)

New breakthroughs in SCADA systems... More and more people know about the vulnerabilities in SCADA and PLC systems. These systems are also used in correctional facilities. Exploits and expertise in these systems can therefore be used to break out of prisons. Tada.

What I would have liked to watch:

So your 0day exploit beats ASLR, DEP and FORTIFY? I don’t care, Erik Bosman

Erik would have presented Minemu, a minimal binary translator that executes full memory taint checking. I read the paper and the work looks solid, the discussion with Erik was also very interesting. Unfortunately the talk was canceled due to timing issues.