On October 23, 2023, with the theme of "Security Development·Digital Intelligence Future", Kanxue·The 7th Security Development The summit was successfully held in Shanghai! Focusing on the development and innovation of security technology in the era of digital intelligence, we adhere to the original intention of sharing pure practical topics and jointly promote the development of the network security industry!
This summit is packed with seats and full of useful information. Now let’s review the exciting contents of the summit!
First of all, thank youMr. Wang Tielei for serving as the special host of this summit. The technical insights and insightful questions raised during the meeting were powerful Promotes communication between the speaker and the audience!
【Wang Tielei】
Thanks to Mr. Wang Qiang, Secretary General of Shanghai Information Security Industry Association for his speech at the conference and kicking off the conference!
【Wang Qiang】
Secretary General of Shanghai Information Security Industry Association
01
MaginotDNS attack——
Cache defense "moats" across domain name resolvers
Is it possible to take over all domain names under .COM or .NET, and then use man-in-the-middle attacks to intercept and replace sensitive information in communications?
In this report, Professor Duan's team will introduce the major security vulnerability they discovered in the domain name service system, which allows attackers to use this vulnerability to implement a new domain name cache pollution attack: MaginotDNS. The attack targets conditional domain name resolvers (CDNS). Through this attack, attackers can cleverly break through the boundaries of domain name domain protection principles and cross the cache defense "moat" of domain name resolvers - using domain name resolution forwarders with insufficient protection capabilities to pollute the shared cache of domain name recursive resolvers with very tight protection , and then take over the entire domain name area including top-level domain names (such as .com and .net).
Through a large-scale measurement study, they found that CDNS is widely used in real-world networks, accounting for 41.8% of the open DNS resolvers they probed. They also found that at least 35.5% of CDNS were vulnerable to MaginotDNS. Through interviews with ISPs, they confirmed widespread use cases of CDNS and real-world attacks.
[Duan Haixin: Professor at Tsinghua University Network Research Institute]
Member of the 8th Discipline Evaluation Group of the Academic Degree Committee of the State Council, co-founder of the world-renowned offensive and defensive team "Blue Lotus", and co-initiator of the International Academic Forum on Cyber Security Research (InForSec). He has long been engaged in teaching and research in the field of cyberspace security. His research directions include network infrastructure and protocol security, cloud computing platform security, vulnerability mining, network attacks, and underground industry detection.
The MaginotDNS attack is an attack technique designed to bypass domain name resolver caching. Domain name resolver (DNS Resolver) is a service responsible for resolving domain names into corresponding IP addresses. It usually caches the resolution results to improve performance and reduce the load on the DNS server. However, this also provides a potential target for attackers. The MaginotDNS attack takes advantage of the cache characteristics of the domain name resolver and fills up the cache by sending a large number of malicious requests, causing legitimate domain name resolution requests to fail to be cached by the resolver. In this way, each resolution request needs to access the DNS server, which increases network latency and server load.
02
From logical computing to neural computing——ForLLM
Threat analysis and defense practices of role-playing attacks
Large language models (LLM) represented by GPT-4 have brought revolutionary changes to society, and security is no exception. In the process of researching LLM security, the author has some issues that cannot be avoided and cannot be ignored:
1) What is the essential reason why LLM has such ability and potential?
2) Why are there different characteristics between LLM input and output?
3) What do these changes mean for cybersecurity?
After studying and researching the latest research results in academia and industry, the author found a possible answer: the shift in the underlying computing paradigm from logical computing to neural computing is one of the essential reasons. The transition from logical computing to neural computing means that for most companies and individuals, they need to pay more attention to the input and output of LLM, and to a certain extent need to weaken the in-depth research on the internal interpretability of LLM. This leads to prompt security becoming one of the focuses in the future.
This report contains the following content:
Analysis of one of the possible essential reasons why deep neural networks bring about changes: from formal logic computing to neural computing;
Combined with the analysis of the current and future systems for building applications based on LLM, conduct a more comprehensive threat modeling;
The author analyzed the multi-dimensional risks of prompt jailbreak and further focused on LLM role-playing attacks. The author conducted a more in-depth threat analysis and found that this type of attack can break through the GPT3.5 model with a probability of nearly 50%.
Combining the principles of LLM technology, prompt engineering and fine-tuning technology, the author proposes a defense framework through three defense solutions at two key defense points. Experimental data shows that these solutions can effectively reduce the success rate of LLM role-playing attacks by as much as 90%. LLM makes network security more complex and risky, and future offensive and defensive games will be smarter and more cruel. Finally, the author looks forward to future thinking on the direction of LLM prompt security research, especially the transition from automatic confrontation to intelligent confrontation.
[Zhang Dong: vivo security researcher]
Currently focusing on AIGC security research, he once worked for a communications network group and a financial group, engaged in network security and privacy protection research.
In the era of large language models (LLM) represented by Chatgpt, we have ushered in a shift in computing paradigm, from logical computing to neural computing. This transformation has brought revolutionary changes to society and also brought new security challenges. This topic deeply explores the threat analysis and defense practices of LLM, conducts an in-depth discussion of the capabilities and essence of LLM, conducts threat modeling of LLM applications, and discusses how to bypass some security mechanisms built into large language models.
03
JDoop: The next generation for
Java WebStatic analysis framework for applications
The emerging static code analysis framework based on Datalog has huge advantages such as performance, flexibility, and accuracy compared with traditional static code analysis tools, but it has rarely been mentioned in the past. This topic will introduce its application in Java Web vulnerability mining in depth, share the difficulties we encounter when analyzing Java Web programs, innovative technical practices and vulnerability mining ideas, and exploit the vulnerabilities discovered by using the self-developed tool JDoop based on this.
[TheDog: Security researcher at JD Security Lab]
Mainly engaged in binary security research and Java static analysis, he has dug out multiple high-risk vulnerabilities in critical infrastructure such as ubuntu and nginx.
[0xEaS: JD Blue Army Team Security Researcher]
Mainly engaged in WEB security research, code auditing, WEB penetration, vulnerability mining and other aspects. He has independently mined RCE 0day vulnerabilities in well-known domestic OA systems, security products and other systems.
JDoop is an emerging static analysis framework based on Datalog, which has the advantages of performance, flexibility and accuracy. In recent years, a small number of teams have begun to conduct vulnerability analysis and mining based on Datalog and IR, or applied Datalog to the field of attack detection. There are very few research teams in this direction. This topic further introduces the characteristics and key ideas of Jdoop.
04
MaginotDNS attack——
A light boat can’t help but climb a thousand mountains: exploration and practice of mining industrial control vulnerabilities
The road to discovering industrial control security vulnerabilities faces many challenges: lack of relevant equipment, no industrial control practice environment, insufficient knowledge reserves of researchers, and insufficient financial support from companies. Faced with these problems, the topic sharers will combine the past ideas of vulnerability mining in industrial control systems, as well as the various exploration methods adopted in the process of mining industrial control system vulnerabilities, through protocol communication analysis, traffic packet capture and forgery. Tampering, attack script writing, industrial control software reverse engineering, industrial control app reverse analysis, simulation, fuzz testing, etc.
And the final method to effectively obtain the vulnerability and obtain the vulnerability number is explained, and the basic ideas and methods of industrial control software vulnerability mining are described, including industrial control software procurement, simulation, industrial control ladder diagram analysis, reverse analysis, and industrial control traffic analysis. Industrial control safety issues are elaborated from the perspectives of , industrial control safety talent training and safety system construction.
[Liu Yang: Security researcher at Shanshi Network]
He has long been committed to exploring industrial control system vulnerabilities, and his research directions include mobile security, industrial control security, and reverse analysis. He has many years of experience in participating in offensive and defensive competitions and propositions. He has discovered multiple industrial control system vulnerabilities. He has experience in posing questions in multiple offensive and defensive competitions (reverse engineering, mobile security, and industrial control security). He has extensive network attack and defense training for enterprises, institutions, and individuals. experience.
Due to the complexity and diversity of industrial control systems, the lack of equipment and practical environment prevents researchers from conducting sufficient testing and verification. In addition, the knowledge base in the field of industrial control safety is relatively small, and the lack of relevant experience and technical support will also bring huge challenges to researchers. This topic shares ideas and exploration methods for industrial control system vulnerability mining, including protocol communication analysis, traffic capture and packet forgery, attack script writing, reverse analysis, etc. At the same time, issues such as industrial control software procurement, simulation, and safety talent training were discussed.
05
From exploration to exploitation: Android emulator vulnerabilities revealed
This topic will introduce the speaker's security research on a number of popular Android emulators. The speaker discovered dozens of security vulnerabilities in them. These vulnerabilities can lead to virtual machine ROOT privilege escalation, information leakage, DOS, virtual machine escape and other attacks. Effect, the topic will introduce the techniques of dynamic and static analysis of Android emulators through these practical cases, and then introduce the communication mechanism, attack surface, software architecture and some typical vulnerabilities found between each emulator and the Guest operating system. In addition, it will also It will show several cases of increasing the normal apk permissions of the virtual machine to ROOT permissions, and then further completing the escape of the virtual machine. Finally, some suggestions will be given to improve the security of the Android emulator.
[Luo Sili: Security researcher]
Binary security engineer, has rich experience in binary vulnerability mining and exploitation, and has delivered technical speeches at HITB and BlackHat.
Android emulators play an important role in our daily development and testing. This speaker independently discovered many heavyweight vulnerabilities in Android emulator security research. This topic revealed and analyzed the vulnerabilities of many popular Android emulators such as ROOT privilege escalation, information leakage, and DOS. It also demonstrated how to escalate from ordinary permissions to ROOT permissions and achieve virtual machine escape.
06
Deep dive into Android trusted application vulnerabilities
In the past few years, Trusted Execution Environment (TEE) has become popular in the Android ecosystem (smartphones, smart cars, smart TVs, etc.). TEE runs an independent, isolated TrustZone operating system in parallel with Android, ensuring that the user's core sensitive data or the phone's core security policy remains safe even if the Android system is compromised.
Like the preset system-level apps in the Android system, there are also necessary applications (Trusted Application, TA) in the TEE system to implement security policies such as data encryption. In the second half of 2022, the speaker conducted security research on the TA implementation of some mainstream manufacturers. Currently, 60 vulnerabilities have been confirmed, including but not limited to fingerprint image extraction, fingerprint lock screen bypass, payment key extraction, and user plaintext password extraction. Serious vulnerabilities.
In this topic, the speaker will introduce the TA implementation in the TEE environment of mainstream manufacturers and common attack surfaces, and share some tips and methods for security research on TA, such as how to own a computer with Root permissions as quickly as possible. of mobile phones used for research and testing. During the research process, the speaker built a simulation system to simulate and fuzz these TAs. In this topic, the speaker will also introduce how to implement this simulation system and the Fuzzing technology and some tuning strategies used.
[Li Zhongquan: Venus ADLab mobile security expert]
Focus on vulnerability mining and Fuzzing in Android, Apple, and IoT. He has repeatedly discovered high-risk vulnerabilities in mainstream manufacturers such as Apple, Huawei, Honor, Samsung, Xiaomi, OPPO, vivo, and MediaTek, and has completed product cracking in the Tianfu Cup.
Many sensitive operations are actually completed in the TEE trusted execution environment, which may lead to innate trust in its security. This topic conducted in-depth research on Android TEE, and its research methods have obtained rich vulnerability results. The topic shared the Fuzz skills of its research process.
07
Chip security and radio security underlying penetration technology
Different from traditional network security, hardware security, chip security, and radio security are important subdivisions of underlying network security. They are the true cornerstone of network security and an important part of national security. “Consolidate the foundation of underlying network security and build a strong network "Strong National Security Base" is another true portrayal of the importance of network security.
The game between hardware hackers and hardware security attackers and defenders will intensify in the future. However, due to its underlying sensitivity, closure, invisibility and other characteristics, related attack and defense penetration technologies, ideas, tools, and vulnerability results are rarely announced or disclosed to the outside world. For the same reason, Attack and defense penetration technologies, concepts, and methods that go deep into the bottom layer of hardware play an important role in future great power games, military electronic technology security, hardware security, chip security, industrial control security, Internet of Things security, Internet of Vehicles security, etc., and can even play a role in critical moments. The effect of "one or two moves a thousand pounds", its "lethality" and "threat power" cannot be ignored.
As the saying goes, "Know your enemy and know yourself, and you can fight a hundred battles without danger." This topic will unveil the mystery of "hardware hackers" and share the less popular but extremely important penetration technology of hardware security and chip security - chip security fault injection technology, and combine it with The internal structure of the chip, chip type, business attributes, firmware security, and CPU instruction operation mechanism are strongly related, giving a deep insight into the mysterious world of underlying chip security. In addition, this topic will also share the bottom-level scanning and penetration technology of radio security, through replay attacks, Three different technical principles, protocol reverse restoration and radio tracking, are used to crack and interfere with a certain penetration object. A negative case reminds everyone of the importance and necessity of wireless security.
[Zhao Yaping: Founder of Diwang Security & Head of Diwang Security Laboratory]
Relying on the R&D and application background of traditional basic disciplines, it seamlessly connects traditional network security, Internet of Things security, Internet of Vehicles security, industrial control security and other fields. He is good at gaining in-depth insights into the nature of information security from the perspective of the bottom layer of the network, especially in the subdivisions of hardware security, chip security, firmware security, communication security, and radio security. He has held important positions in a security agency, a listed company (Top 50 Chinese Private Enterprises in 2022), and a state-owned enterprise respectively as a senior expert in Internet of Vehicles security, a senior expert in industrial control IoT security, and the Chief Engineer of Automotive & Industrial Control Information Security.
This is a sharing about chip fault injection technology. In fact, fault injection is a very active research direction internationally, and it will be a huge attack surface under the condition of physical contact. However, research in this area requires certain hardware support and special equipment, so there are relatively few studies in this area in China.
08
Exploring the Frontier of USB FUZZ Tools
USB is the most common peripheral interface in modern computer systems and devices, and some of its inherent security issues make it an easy target for attackers. In the process of USB security research, we used the USB protocol to completely simulate the Windows USB camera with face recognition, which complies with Microsoft's UVC protocol for infrared camera unlocking, and only needs an ordinary infrared picture to unlock Windows Hello.
In order to more comprehensively review USB security, we have developed a new set of USB fuzz tools, based on embedded Lua firmware, which can simulate different devices that comply with the USB protocol, and simulate the characteristics of USB descriptor data interactive transmission. Any USB device automatically fuzzes the USB stack and driver of the host. We have designed a set of generation strategies to improve efficiency. The USB device sends data to generate seeds, and the firmware will automatically provide feedback based on different seed execution effects to reduce fuzzing. Time, automatic feedback of fuzz results. Current fuzz results also include causing denial of service in Windows and Ubuntu, causing crashes.
Through this research and development work, we aim to gain a deeper understanding of USB security and contribute to improving the security and robustness of USB devices.
[He Bingyang: Security Researcher at Lenovo Security Lab]
He has many years of security research experience, and his main fields cover IOT, side channels, reverse analysis, etc.
[Wu You: Security researcher at Lenovo Security Lab]
He has many years of experience in security research and participated in the Butian Cracking Cup. His main fields cover IOT, smart home, reverse analysis, etc.
As a peripheral interface that cannot be avoided in life, USB is a very important attack surface in near-field and physical contact environments. There have been many new results in the USB Fuzz direction over the years. Two security researchers focused on the USB protocol and specifically demonstrated Windows Hello unlocking and Windows USB denial of service attacks for us.
09
Internet of Vehicles - Digging loopholes from a research and development perspective
With the introduction of national automobile safety standards and the establishment of the overall direction of vehicle safety, the difficulty of RCE has further increased. How to find new entrances will be a point that needs to be discussed. This topic introduces in detail the methods of mining vehicle vulnerabilities based on the attacker's thinking on vehicle development, which involves the following aspects:
– Current vehicle architecture attack surface: As cars have more and more functions, more and more attack surfaces are exposed.
– How to implement supply chain security: Most parts of the vehicle are mainly developed in the supply chain, which will lead to increased security risks.
– Understand the mental process of R&D when writing code, and analyze the errors that occur when R&D writes code.
– Method of dragging vehicle firmware: There is often the problem of incomplete terminal environment when dragging firmware
– Introducing the idea of vulnerability mining: If you want to dig a hole, you must first have an idea.
– Introduce the output vulnerability: describe the vulnerability details in detail and describe how to analyze it
– Analysis of a manufacturer’s private protocol for vehicle control: in-depth analysis of the private protocol for vehicle control and interpretation of the meaning of each field
[Chen Yingao: Xiaomi Intelligent Terminal Security Laboratory Internet of Vehicles Security Expert]
The person in charge of ChaMd5 Car, currently mainly engaged in security research on mobile phones, Internet of Vehicles, and IoT. He has won many awards in Geekpwn and Internet of Vehicles competitions.
The security of the Internet of Vehicles is directly related to the personal safety of customers. We hope that car companies can make it sufficiently perfect at the beginning of the design. This topic discusses how to discover and avoid loopholes in vehicle architecture, supply chain, code writing and other aspects from a research and development perspective.
10
Virtual, virtual and real - in-depth study of automotive virtualization technology
The threshold for Internet of Vehicles security is so high. How great would it be if there was a car that could be installed directly on your computer? Have you ever thought about this problem? Yes, we did it.
This topic introduces the process of our in-depth research on automotive virtualization technology. In this process, we can see that we have broken through technical difficulties and planned a more reasonable virtual car architecture based on the virtualization of the host and CAN network, forming a very real virtual car system. Under this system, we conducted multiple scenarios such as attack, firmware simulation, and product testing on virtual cars. At the same time, this topic will also introduce our experience in physical research, and together with virtualization, introduce some key points of the combination of virtual and real.
[Zhang Kelei: Security Researcher at NSFOCUS Science and Technology Innovation Research Institute]
A distinguished expert from the Shanghai Internet of Vehicles Association, his research focuses on security attack and defense of the Internet of Things and Internet of Vehicles, as well as the incubation and implementation of innovative products. It won first place and first prize in many Internet of Vehicles security competitions such as the 5th "Strong Network" Mimic Defense International Elite Challenge and the 2021 Intelligent Connected Vehicle Safety Evaluation Skills Competition.
Many car companies may not have time to take into account underlying security issues, and security researchers will face cost issues if they want to study this. Is it possible to break through the constraints of this equipment environment?
Although there are many CAN network simulations, there are still few vehicle networks that can achieve full simulation.
This topic focuses on the automotive safety range and brings us a very real virtual car system.
11
Exploring the security attack surface of software-defined cars
With the advent of the era of software-defined cars, service-oriented software architecture (Service-Oriented Architecture) has been widely used in modern cars. The implementation of automotive SOA decouples vehicle application development from the vehicle hardware platform. Vehicle applications can call the capabilities of automotive domain controllers and sensors through standardized interfaces. This topic deeply studies the mainstream SOA architecture and discovers multiple security attack surfaces from the perspective of the entire vehicle, which can bypass system restrictions and send sensitive instructions, such as unlocking car doors and obtaining sensitive information. Demonstrate how to control a vehicle through a malicious car APP combined with multiple system flaws, and provide security suggestions and repair plans.
[Qu Lewei: Senior security researcher]
A former senior security engineer at Baidu, he was responsible for the security of Baidu's AIoT products. Now he is the security director of an autonomous driving company, responsible for the security of vehicle-road-cloud integrated products, and the construction of enterprise network and data security protection systems. He has conducted in-depth research on WiFi, Bluetooth, kernel, and Android systems, and obtained 300+ CVE vulnerabilities. He has been thanked by Google Android, Qualcomm, and MediaTek many times. He was named the Top Bug Hunter in 2022 by Google. Researcher with the most acknowledgments, BlackHat 2021 Europe/2022 Aisa/2022 USA, KCon 2023, 5th AutoCS 2023 speaker.
To exaggerate, it is more like buying a computer and getting a car as a gift. Advanced services can better create user experience. We may subscribe to many application services on new energy vehicles, so what specific security risks will we encounter in the vehicle system? This topic shared in detail the safety issues of multiple vehicle systems.
Round table talks
It is beneficial for people to get together and talk, so this is very good. This summit invited six top safety experts and big names in the industry to gather together to focus on the future of new energy vehicles, each sharing their opinions and inspiring each other.
In the roundtable discussion session, the host, the current Chairman and CEO of DARKNAVY Wang Qi (Big Bullfrog) asked questions to the point, and discussed with the Director of China Automotive Industry Association< /span> on “Security effectiveness is difficult to measure”, “There is a contradiction between the treatment of security personnel and the cost of cars”, “Technical personnel and business executives have different concerns”, “Bounties that are too low cannot attract white hat hackers, and bounties that are too high cannot attract white hat hackers. Issues such as "the bonus may make itself the target of public criticism" and "the difficulty of closed-loop security of the Internet of Vehicles" were discussed in depth. Li Jun,Founder & CEO of GoGoByte (GoGoByte) Zhao Hao, , Weilai Automobile Machinery, Internet of Vehicles and Ecological Security Person in charge Xu Ji, Head of Attack, Defense and Operations of JiKrypton Security Gu Yongmei , Senior Director of Security Compliance and Risk Management of SAIC Information Strategy and Network Security Department, Senior Engineer Ning Yuqiao
A corner of the venue
Many guests were attracted by the unique and novel gadgets on each stall. The booth was crowded, which showed how lively it was!
Thanks to BlogView and Hacking Club for bringing interesting and fun exhibits!
The major booths were very popular, and guests stopped to interact and win various "trophies". The darts and digital Huarong Tao games at the snow-watching booth aroused the desire of the passing guests to challenge. After a fierce battle, they walked to the next booth with a gift.
During every break during the conference, we have set up exciting lucky draws!
Congratulations to this lucky guy who won the ultimate prize Huawei Mate 60 Pro!
Thank you to the leaders, teachers and students of the National Cyber Security College of Wuhan University for your strong support to the Kanxue Summit!
In addition, we would also like to thank the volunteers who traveled thousands of miles to assist with summit-related work Wang Menglei, Qian Xing, Lu Zhaoyang, Xu Wanpeng, thank them for their support and love for Kanxue and the network security industry!
For the conference PPT download address, see:
Link: https://pan.baidu.com/s/1LtvR7TBAhOlDpy11CG3pEg?pwd=yktn
Extraction code: yktn