BlueHat Israel is one of the best boutique cybersecurity conferences and this year was no exception. The conference is single-tracked with a good hallway track and multiple side events. This year the conference grew significantly compared to previous years, and with that came a move to a bigger and better venue.
The talks covered a wide range of issues, from supply chain talks and vulnerabilities in CPU firmware and Active Directory networks to fun talks on reverse engineering GameBoys. Here are some of the best talks and moments from the conference.
Supply chain attacks are on the rise
The most thought-provoking talk deep dived into the concept of supply chain attacks with emphasis on hardware attacks. Andrew “bunnie” Huang delivered a talk titled “Supply Chain Security: “If I were a Nation State…” Supply chain attacks refers to attacking an organization by infecting the software and hardware used in the network. A famous example in recent years is the CCleaner attack where an unknown attacker compromised CCleaner, a program used by many IT organizations, and through it reached a large number of enterprises.
“bunnie” provided several interesting hardware attack examples occurring at different stages along the supply chain from chip fabrication to installation at a network. Along the way he described possible methods to detect such attacks.
The talk started by demonstrating that hardware attacks are real and happening at the consumer level. Real time examples included fake secure storage cards, engineering sample chips passed off to customers as production-ready and instead providing customers with the wrong chips. In this example, the chips were traced back to a specific malicious distributor. These examples caused missing functionality and a false sense of trust in the system.
Hardware attacks can also occur higher up in the supply chain, at the point of fabrication or packaging. For example, attackers can replace high end chips with cheaper components, e.g. replacing hardened RAM with chips susceptible to RowHammer attacks, allowing attackers to exploit a vulnerability that is impossible to mitigate in software. Some of these attacks are simple to detect, by checking the component serial numbers or comparing the board layout to a known reference design. More complex attacks are practically impossible to detect with existing tools. For example, modifying chips placed in a System On a Chip (SOC) package or changing the packaging process (for example, to remove anti tampering protection).
The impact of malicious hardware is hard to overstate. Hardware implants can be used to gain beachheads in closed networks or add hardware vulnerabilities that provide an undetectable rootkit. For most users there is no real defense against such attacks. An ongoing DARPA project on this subject may carry a solution but it will probably take time.
#AMDFlaws – vulnerabilities explained
Another much anticipated talk was The AMDFlaws Story: Technical Deep Dive by Ido Li-On and Uri Farkas from CTS-Labs. A year ago, CTS-Labs, an unknown security firm, claimed that it had uncovered a set of vulnerabilities in the AMD processors that supposedly broke security boundaries between virtual machines and encrypted memory. Their presentation was topnotch and the vulnerabilities were demonstrated for the first time live on stage.
They showed the process involved in researching locked down devices. Initially, CTS-Lab researchers found a simple vulnerability in the AMD processors’ boot process and managed to get access to the rest of the firmware. Only from there were they able to research the rest of the firmware and find more significant vulnerabilities.
Their work was significant, as it tied into other recent research into firmware vulnerabilities. In the past few years, there have been multiple research papers on attacks on the GSM baseband and Bluetooth stacks along with research on the Qualcomm Trusted Zone software .
After the talk, one of the researchers in the audience tweeted that it’s possible there is another vulnerability in the AMD secure processor given the code fragment presented in the talk. Time will tell.
Attacking the Edge browser
There were two talks in the second day of the conference that fit together very nicely. The first was Bruno Keith’s talk on attacking Edge and the second was Matt Miller’s yearly overview of trends in software vulnerabilities.
From this talk and similar talks over the past year, coupled with Project Zero posts, it’s clear that current mitigations fall short of the state-of-the-art browser exploitation techniques. Exploits are routinely published for both major desktop browsers (Edge and Chrome) despite their strong protections. Given strong primitive vulnerabilities, mitigations can be bypassed. This means that security engineers will need to refocus on either preventing vulnerabilities or on containing damage.
Vulnerabilities are harder to exploit and other trends in mitigating Software vulnerabilities
Under the assumption that not all vulnerabilities can be removed, along the years Microsoft has invested resources in exploit mitigations such as ASLR (Memory layout randomisation), Mem GC (a memory allocation hardening measure) and Control Flow Guard (prevents code reuse).
These techniques have been very successful. Exploitation is becoming harder all the time. The amount of zero day vulnerabilities used for mass attacks has pretty much gone to zero and fewer vulnerabilities are showing up in “mass market” exploit kits. This has led attackers to opt for entirely different attack vectors, using social engineering, or more attacks on mobile phones and misconfigured servers.
However, as Bruno Keith’s talk showed, these methods are not enough to prevent exploitation by strong attackers, and if the goal is to stop attackers, mitigations such as the previously mentioned will not be enough.
Furthermore, the amount of vulnerabilities uncovered is still rising. Looking into the vulnerability reports, Matt Miller noted that the mix of vulnerabilities contains plenty of vulnerabilities from modern code that is supposed to pass more stringent testing. Microsoft uses a secure software development lifecycle (SDL) that is supposed to find and remove vulnerabilities during development. This process is clearly failing as there are still a large number of bugs found in released software. As someone from Microsoft noted, “What secure development process?”
For this reason, focus has shifted to removing vulnerabilities at compile time. Both the Microsoft Visual Studio and gcc (used for compiling the Linux kernel) are adding detection and fixes for uninitialized variables (which can leak data) and better C++ libraries that provide bounds detection with little performance impact. These should help kill entire bug classes.
The Cool factor
BlueHat Israel typically contains technical talks whose only goal is to make the audience go “cool”. This year, Or Pinchasof lectured about Bridging Emulation and the Real World with the Nintendo Game Boy. Pinchasof explained how he successfully bridged a GameBoy Advance handheld console (from the early 2000s) and an emulated handset. Even after all these years, enthusiasts have not been able to successfully emulate this functionality. As part of the talk, Pinchasof demonstrated how he analysed, reverse engineered and wrote an emulator for the Gameboy multiplayer. This talk combined a lot of technical details on the wire format, the research setup and results, alongside a lot of cool demos (which mostly worked).
The no show
One of the most anticipated events on the conference agenda was a debate between the CEO of the NSO Group and researchers from Citizen Lab.
NSO Group is a cyber intelligence firm that provides mobile phone spyware to governments around the world. Citizen Lab has previously uncovered multiple human right abuses around the world connected with NSO Groups spyware.
I was really looking forward to this debate as the NSO Group has spent the last few years belittling Citizen Lab’s results and motives. Unfortunately, the CEO decided to cancel only a few days before but this has set the stage for a great interview on one side only.
Some popcorn worthy highlights include the moderator asking Citizen Labs “I know that NSO is willing to have a discussion with you, why won’t you have one?”, with the obligatory answer “well, we’re here, they’re not”.
But many serious questions were raised, such as how do offensive security companies balance legitimate usage of their tools against the large potential for abuse. It’s a shame that NSO skipped the panel, it promised to be very interesting.