Another year, another c3
This year marked my 11th year of congress (and 10th visit with a short hiatus in
2012). Just like all the years before we headed to the conference location a day
before the start of the 31c3. After arriving in Hamburg (after a quick detour
through the Lufthansa lounge in Frankfurt with super decent food) we checked in
at the hostel and headed to the CCH, the conference location. After Lumi got her
ticket we headed in and explored the assembly area where a lot of fancy stuff
was already set up.
While there were tons of awesome art projects, old gaming machines, and other
fancy decoration we felt that cozy seating areas were missing. In the last
couple of years we loved to chill on the widely available couches. This year
there were only few couches available and there was usually a super long wait to
score some. But then again, the congress is facing exponential growth (Club of
Rome anyone?) and it is now at more than 12,000 attendees (from around 3,000
attendees 4 years ago) and there's just not more space available.
The 5 talks I appreciated most are:
- Iridium Pager Hacking -- Sec, schneider
- Mining for Bugs with Graph Database Queries -- fabs
- Thunderstrike: EFI bootkits for Apple MacBooks -- Trammell Hudson
- The Perl Jam: Exploiting a 20 Year-old Vulnerability -- Netanel Rubin
- Why are computers so @#!*, and what can we do about it? -- Peter Sewell
- and obviously my talk on Code-Pointer Integrity...
Wir beteiligen uns aktiv an den Diskussionen -- Martin Haase
This was the first talk I watched and maha was awesome as always discussing fine
lines of political arguments and how you can guide and lead the willing
SCADA StrangeLove: Too Smart Grid in da Cloud -- Sergey Gordeychik, Aleksandr Timorin
From the soft skill talk by maha we moved on to a more technical talk about the
continuously bad shape of SCADA system, including many nice details on their
insecurities and how to pwn the systems.
Glitching For n00bs -- exide
Some details on voltage glitching, playing with frequency shifts, and so on the
get around ROM limitations and force specific execution patterns. Nice
introduction to glitching but nothing earth shattering.
Code Pointer Integrity -- gannimo
My talk on Code-Pointer Integrity,
a defense mechanism we developed to protect low level code written in C or C++
against control-flow hijack attacks.
AMD x86 SMU firmware analysis -- Rudolf Marek
There are bugs in low level firmwares, who would have thought?
Crypto Tales from the Trenches
This panel lead by Nadia Heninger featured a bunch of journalists (Julia Angwin,
Laura Poitras, Jack Gillum) and discussed how "real people" use crypto software
to protect themselves against governmental spying.
Citizenfour -- Laura Poitras
If you haven't seen the movie about the Edward Snowden leaks and how they
exchanged data. The movie sheds some more light on the person behind the leaks
and discusses some of the motivations. Great movie, go watch it!
Mining for Bugs with Graph Database Queries -- fabs
Fabs rehashed his Oakland'14 talk and added a bunch of fresh VLC bugs and a
longer discussion on the topic to make it more approachable to hackers. I really
appreciate that he open-sourced the full framework and is super open to other
hackers playing with his graph search database. The idea is that you have a
super simple parser that churns through a bunch of code (without compiling it)
pipes it into a graph database and allows you to query for specific patterns on
a combined control-flow, program-dependence, and partial data-flow graph. Using
all these combined graphs you can formulate super complex queries that hint at
specific bugs and reduce the amount of code that you have to audit for 0days.
Fernvale: An Open Hardware and Software Platform, Based on the (nominally) Closed-Source MT6260 SoC -- bunnie, Xobs
Bunnie introduced their research engineering efforts into a super cheap ARM/GSM
hardware project. The talk was awesome and it is best if you watch it and read
his blog post
The Matter of Heartbleed -- Zakir Durumeric and Heartache and Heartbleed: The insider's perspective on the aftermath of Heartbleed -- Nick Sullivan
Awesome wrap up of heartbleed and how we analyzed and scanned a large part of
the internet to ensure that people actually patch the vulnerability. Great super
compact talk by Zakir and you might also want to read the paper.
Nick then discussed the CloudFlare challenge that they did but surprisingly he
reformulated the challenge and presented CloudFlare in a much better light.
CloudFlare challenged that hackers try to exploit the vulnerability and it
sounded as if they were super sure that using their allocator made the
vulnerability unexploitable while in the talk Nick presented it as a
crowd-sourcing approach to find a working exploit. Anyways, the talk was
interesting to follow and allowed closure on heartbleed.
Fnord News Show -- Frank, fefe
The Fnord news show was awesome as always. We enjoyed the show and -- as always
-- were surprised by all the crap that happened during the year. It is sad with
what kind of atrocities the politicians get away.
EMET 5.1 - Armor or Curtain? -- Rene Freingruber
Overview on EMET 5.1 and how you can break all defense mechanisms like ASLR,
DEP, and different forms of canaries. The talk did not offer any surprises but
it was nice to get an overview of the exploit techniques he used (ROPing and
DP5: PIR for Privacy-preserving Presence -- Ian Goldberg, George Danezis, Nikita Borisov
Talk on how to use private information retrieval and how to connect anonymous
(or semi-anonymous) entities for secure data exchange. This technique protects
against graph similarities and breaking (pseudo-)anonymity by correlating social
Thunderstrike: EFI bootkits for Apple MacBooks -- Trammell Hudson
Exploiting and pwning the firmware of your MacBook using a 2 year old bug and a
20 year old legacy feature, connecting a malicious device to the Thunderbolt PCI
bus, intercepting the boot process and injecting your own code into the
firmware, circumventing all Apple verification. Existing devices will always be
vulnerable to downgrade attacks, newer devices can be protected (by not exposing
vulnerable older firmwares).
The Perl Jam: Exploiting a 20 Year-old Vulnerability -- Netanel Rubin
Awesome talk on lists in perl and how they can be used to overwrite arguments in
functions when they are expanded. This is a must watch, part for the explicit
language, the awesome camel pictures, and all the great WATs.
UNHash - Methods for better password cracking -- Tonimir Kisasondi
The search space for long passwords is huge, Tonimir looked at specific ways to
guide the search to reap some low hanging fruits and find longer passwords
faster. He looked at password leaks and came up with different form of
combinations and how passwords are constructed from a human perspective,
targeting such passwords using different word lists explicitly.
Infocalypse now: P0wning stuff is not enough -- Walter van Holst
Walter presented a very meta talk on the infocalypse.
Why are computers so @#!*, and what can we do about it? -- Peter Sewell
Awesome talk by Peter talking us on a wild ride through 60 years of abstractions
in computer architecture, building layer upon layer of the software stack,
featuring memory coherency questions and arguing in favor of verified
interfaces. All layers should be verified, formally proven, and protected at all
times. He is interested in coming up with formal descriptions of the interfaces
that are amenable to testing and can actually be used in practice.
State of the Onion -- Jacob, arma
Jacob and arma present the current status of the Tor project, discuss the growth
in bandwidth, governmental attacks, and other kind of quirks that the Tor
project faces on a daily basis.
Due to overcrowding I was unable to watch the following talks. Of all the talks
I heard great things and they are on my watch list for my next couple of
- Practical EMV PIN interception and fraud detection -- Andrea Barisani
- Revisiting SSL/TLS Implementations -- Sebastian Schinzel
- SS7: Locate. Track. Manipulate. -- Tobias Engel
- ECCHacks -- djb, Tanja Lange
- Beyond PNR: Exploring airline systems -- saper
- Security Analysis of Estonia's Internet Voting System -- J. Alex Halderman
- Preserving arcade games -- Ange Albertini
- Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer -- Rafal Wojtczuk, Corey Kallenberg
- CAESAR and NORX -- Philipp Jovanovic, aumasson
Good bye 31c3
It was a pleasure, good bye Hamburg, and see you next year!