Getting there and exploring the new location
As I was already in Europe to visit family over x-mas getting there was fairly
easy with just one short direct flight of about an hour. Hamburg is a great and
location and the airport is just a short train ride from the city center
(almost comparable to Zurich). The chaos communication congress moved from the
BCC (Berlin Congress Center) in Berlin to the CCH (Congress Center Hamburg) in
Hamburg in 2012 and this was the second time at the newer, bigger location that
would not be too small or two crowded for the next several years. First of all,
the location is much bigger and many things changed compared to the BCC. It is
no longer a cozy, familiar atmosphere like in the old days of the 21c3 or so.
There are roughly 10k hackers, nerds, journalists, and other agents walking
around and if you don't know people already it is kind of hard getting to know
them. Comparable to defcon the 30c3 has become more of a privileged event with
different classes and due to the sheer size you tend to stick to the people you
already know. I still met a bunch of new people and I also tried to get to know
a bunch of other random people as well but I felt that it was getting harder.
Regarding the new location I must say that I like the CCH. It took me the
better part of the first day to find my bearings but navigation was smooth
afterwards (i.e., I could just follow the tubes for the Seidenstrasse project,
a large, ad hoc pneumatic delivery system). Maybe for future events the c3
organizers should add (more) routing signs for newcomers, especially if it gets
even more crowded.
In this section I want to highlight a bunch of technical talks I watched during
the 30c3. There were way too many good talks to list all of them here and there
is not enough space to write about all of them in detail. My intention is to
encourage you to follow the links and to watch the talks as well. The talks are
rated from 1 (bad, don't watch) to 10 (awesome, you have to watch this
immediately). My talks are marked ?; obviously my opinion is that they are
great but I'll let you judge them for yourself.
An introduction to firmware analysis: Stefan Widmann (4)
In this talk, Stefan gives us a quick and dirty overview of different firmware
analysis tools and individual steps needed to recover, analyze, and disassemble
firmware of an unknown device.
Triggering Deep Vulnerabilities Using Symbolic Execution: gannimo (?)
Symbolic execution is a great tool that can be used to help a programmer
find some input that will trigger a well defined condition inside a binary
program. In this talk we learn the concepts of symbolic execution, potential
use cases, and how far we can scale symbolic execution (i.e., for what tasks it
Mobile network attack evolution: Karsten Nohl, Luca Melette (6)
Another iteration of the security in mobile networks topic by Karsten and
Luca. The talk was entertaining and interesting while they did not present too
many new things.
Bug class genocide: Andreas Bogk (7)
Andreas fights for memory safety guarantees for low level languages. He took
some time to tell us about all the possible memory corruption vulnerabilities
that exist in low level code and advocates to use compiler extensions like
SoftBound+CETS that enforce (some form of) memory safety for C and C++.
Currently he is working on porting FreeBSD (and SoftBound+CETS) to offer a safe
version of the FreeBSD distribution where memory corruption is no longer
possible. Unfortunately, this will cost some runtime performance and while he
was not explicit about the overhead, the original papers mention up to 300%
Baseband Exploitation in 2013: RPW, esizkur (4)
Baseband chips and operating systems changed a lot in recent years. Most
new mobiles and smart phones produced in recent years run on Qualcomm chips.
Exploitation of these systems got much harder due to additional security
hardening of the operating system and a change of the CPU architecture. This
talk explains how we can still hack these systems.
Revisiting "Trusting Trust" for binary toolchains: sergeybratus, Julian
I must say I love Sergey's talks (especially the ones at the c3), they are
always fun, usually go several layers down into the system architecture, and I
always learn something new. This time Sergey and his companions talked about
Turing complete computation using only ELF relocations. Using different forms
of relocations you can force the standard loader to rewrite partial relocation
entries and force additional relocations ending up in Turing complete
modifications of the program during the loading process (i.e., after
verification but before the first instruction of the application is executed).
Security of the IC Backside: nedos (4)
Nice overview talk about reverse engineering and attacking integrated circuits
from the backside. Instead of going down from the top (facing potential reverse
engineering counter measures) one can start from the bottom and go up the
layers. This talk gives an introduction into this reverse engineering process.
SCADA StrangeLove 2: repdet, sgordey (3)
SCADA is still bad, m'kay. New examples of how bad SCADA systems are in the
real world, including some details on SCADA systems that are connected to the
internet and are openly accessible.
Android DDI: Collin Mulliner (5)
Android reverse engineering is a potentially hard problem due to the mix of
native code and Dalvik bytecode. This talk presents an approach to instrument
the Dalvik part of an Android application with some additional features. In the
talk Collin gives some nice examples on how to circumvent in-store purchases
resulting in free stuff.
Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware:
In the beginning malware executed on the same privilege level as the
anti-malware software. Over time, the anti-malware software tried to move up on
the levels of abstraction (and privileges) to keep control even if the malware
was able to successfully gain control of one privilege level. In this talk we
learn that malware may move up to the hardware level, circumventing all
possible protection mechanisms.
WarGames in memory: gannimo (?)
In my second talk I discuss memory safety violations in general and memory
corruption vulnerabilities in particular. At the core, memory safety violations
are the cause for many of the exploitable bugs in programs written in low level
languages like C or C++. In the talk we discuss a model on what kind of
capabilities an attacker needs to execute a control flow hijack attack
(starting with the initial memory safety violation). In the later part we
discuss different strategies that would stop the attack from succeeding, why
current defense mechanisms are not sufficient, and what the future will bring
Virtually Impossible: The Reality Of Virtualization Security: Gal Diskin (6)
Going down the ISA rabbit hole. Gal lectures about low level security
implications that virtualization will bring us and what kind of pitfalls we
face when using different virtualization technologies. Hardcore talk with lots
of low-level details.
CounterStrike: FX (7)
I wondered for a long time if I should order this talk under the political/social
talks or under the technical talks. FX delivers a great rant about lawful
interception, how governmental tracking works, and what we might be able to do
about it. Not his best talk but greatly entertaining.