Speak at a Meetup
You could be listed here! Submit your talk now.
An extremely brief overview of post-quantum cryptography
Currently, one of the most exciting and talked-about topics in cryptography is the move to post-quantum cryptosystems. This talk will cover what constitutes being “post-quantum,” the domains of cryptography in which that’s relevant, and a few of the current most exciting ideas in the space. JP Smith is a cryptography engineer at Trail of Bits.
A Software-testing Case Study on Ethereum Smart Contracts
We’ll review a function called ‘batchTransfer’ in one of the Gemini dollar smart contracts and use it as a case study for software testing in the setting of Ethereum smart contracts. Specifically, we’ll review two versions of this function, the second of which rectifies unintended edge-case behavior in the first. The main focus of this talk will be on the use of two tools, Manticore and Echidna, and how they were used to specify correctness properties about the ‘batchTransfer’ function. We’ll conclude with some remarks on the relative strengths of these tools, as well as their advantages over example-based unit testing. Daniel James is a security engineer at Gemini Trust.
Empire Hacking hosted end-of-summer presentations from a group of interns from around NYC.
Intern speakers included:
- James Wang, Trail of Bits
- Aditi Gupta, Trail of Bits
- Guillaume Fournier, DataDog
- Dennis Röllke, NYU
- Nicholas O’Brien, Facebook
- Momopranto Amin, Facebook
- Sohum Sontakke, Etsy
Server-side Spreadsheet Injections
CSV injection and client-side Excel DDE attacks are well-known in the security community. This talk explores and demonstrates new ways spreadsheet formulas can be used to exploit servers and cloud platforms supported by spreadsheet technology. By injecting formulas into server-side services and without client interaction, we will demonstrate how we have stolen sensitive data, inserted backdoors, and obtained remote code execution during client engagements. Jake Miller is a security consultant at Bishop Fox.
Three Super Features That Could Transform Osquery
Not all features are created equal. Most features improve functionality. However, some features expand a tool’s ability so completely that the baseline product becomes something entirely new. We call these features Super Features. In this talk, we’ll review a feature wishlist gathered from interviews with 5 Silicon Valley tech teams who use osquery. From these, we’ll identify the Super Features - features that, if built, would fundamentally change the value proposition of osquery for the better. Then, we’ll discuss how Trail of Bits plans to make these osquery Super Features a reality. Lauren Pearl is the head of strategy and operations at Trail of Bits.
Attacking Browser-Based Ethereum Wallets
Browser-based Ethereum wallets are currently one of the only ways to interact with dApps in the Ethereum network. While they are innovative in nature, many of these wallets expose their users to a wide attack surface. Further, they provide information to sites you probably don’t want them knowing. In this talk, I go over the attack surface of all these wallet softwares, how they can be exploited, and how the risks can be mitigated. Brandon Arvanaghi is a security engineer at Gemini.
In the blockchain, there are no secrets. Every transaction is logged and everyone has a copy of all of the code. Nearly all of this code can only be analyzed through reverse engineering. Over the past year, we’ve seen enterprising hackers use flaws in smart contracts to whisk away millions. This was made possible thanks to Ethereum, the technology that powers cryptocats, and Solidity, a high level language that describes Ethereum’s Turing complete smart contracts. This talk will introduce smart contract security, present common vulnerability classes, and demonstrate how to reverse engineer EVM code to identify these vulnerabilities. The talk will also present tools to support vulnerability discovery in EVM code and Solidity. Ryan Stortz and Jay Little are security engineers at Trail of Bits.
Privacy on the blockchain: insights from 3 leading projects
Projects like Enigma and Keep are developing solutions to keep sensitive data private but useful on the blockchain. Doing so would be a leap forward for dApps and a provide a stronger bridge to enterprise users. What are the key problems and which of these solutions is likely to succeed? Ana De Sousa is a consultant and analyst focused on commercial applications of blockchain technology. Previously, she led analytics teams at LinkedIn and AT Kearney. She’s delighted to finally put her BA in Economics to use.
Containers aka crazy user space fun
Like the movie Plan 9 from outer space, this talk will cover containers from user space. What are they? Where did they come from? How much koolaid is involved in adopting them into your life… Come for the jokes, stay for the interesting technical details. Jess Frazelle works at Microsoft on open source, containers, and Linux. She has been a maintainer of Docker, contributor to RunC, Kubernetes and Golang as well as other projects. She loves all things involving Linux namespaces and cgroups and is probably most well known for running desktop applications in containers and her work on making containers secure.
Past, Present, and Future of Ethereum and its Security
John Maurelian of Consensys Diligence will discuss his highlights of the latest developments in Ethereum security. Many new projects, papers, and tools were released at Devcon3 that demand attention from those concerned with Ethereum security.
Building the Quorum Blockchain
Amber Baldet and Brian Schroeder of the Enterprise Ethereum Alliance will discuss blockchain threat modeling, confidential transactions, and zero-knowledge proofs. All the tech that makes the Quorum permissioned blockchain possible!
Learn Ethereum security through Capture the Flag
Sophia D’Antoine of Trail of Bits will discuss recent CTF competitions that have featured Solidity and Ethereum challenges, and the tools required to exploit them.
Automatic Bug Finding for the Blockchain
Mark Mossberg of Trail of Bits will discuss practical symbolic execution of EVM bytecode with Manticore. Mark recently completed a smart contract audit where Manticore was used to find subtle numerical issues of high severity.
Lightning talk: Addressing infosec needs with blockchain technology
Paul Makowski will discuss PolySwarm, an upcoming cybersecurity-focused Ethereum token, and how it aligns incentives and addresses deficiencies in the threat intelligence industry.
Understanding Windows Defender’s JS Engine
Post-Exploitation on Kubernetes
Kubernetes has become the de facto system for container orchestration. It makes scaling and deploying containers much easier, but there’s a lot left to consider from the security perspective. This talk focuses on post-exploitation techniques and will cover pivoting, persistence, and data exfiltration as they are done on Kubernetes. Omar is a security engineer at Etsy.
Empire Hacking hosted end-of-summer presentations from a group of interns from around NYC.
- Kareem El-Faramawi, Trail of Bits
- JP Smith, Trail of Bits
- Theofilos Petsios, Trail of Bits
- Spencer Michaels, NCC Group
- Joel Margolis, NCC Group
- Jules Denardou, Datadog
- Aleksey and Ofer, HYPR
- Kimberly Hou, MongoDB
Lessons in PL Theory: Modern type systems
JP Smith, a security engineering intern at Trail of Bits, discussed modern type systems and their applications to security. He covered dependent types and their applications enforcing strong invariants at compile time. Then, he reviewed how affine types can be used for better memory safety in languages like Rust.
True facts about the qmail source code
qmail is extraordinary in that it was written in C, implements a complex protocol, and has had no impactful security bugs for over 10 years. Mark has reviewed the qmail source code for a project at Trail of Bits and will share several of the idiosyncrasies and interesting details he has found. Mark Mossberg is a security engineer at Trail of Bits.
Smart uses for dumb fuzzing
CS class or @EmpireHacking @Etsy pic.twitter.com/4ukGGJFsi5— Pete Taylor (@taylopet) June 13, 2017
Intro to Rust Lightning Talk
Efe Alatan, a senior at NYU Tandon, gave a brief overview Rust.
Dissecting a Fingerprint Sensor
Daniel Lawson hacked a fingerprint sensor 10 ways from Sunday and shared his findings with us. All bugs identified were reported the vendor and are in the process of being fixed. Dan is a security consultant at MWR.
Transport Layer Security 1.3
The protocol that protects most of the Internet secure connections is getting the biggest ever revamp, and is losing a round-trip. We will explore differences between TLS 1.3 and previous versions in detail, focusing on the security improvements of the new protocol as well as some of the challenges we face around securely implementing new features such as 0-RTT resumption. At Cloudflare we will be the first to deploy TLS 1.3 on a wide scale, and we’ll be able to discuss the insights we gained while implementing and deploying this protocol. Nick Sullivan is the head of cryptography at Cloudflare.
Getting ready for tonight @work_bench pic.twitter.com/AtCp7vTLjq— Empire Hacking (@EmpireHacking) April 11, 2017
Mark Mossberg of Trail of Bits gave a short demo of Manticore, a ruthlessly effective hybrid symbolic-concrete (“concolic”) execution system that scales to large programs with numerous dependencies, complex interaction, and manual setup. Manticore is being prepared for a public release in March.
Bootstrapping a slightly more secure laptop
Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended to store data and state. It targets specific models of commodity hardware and takes advantage of lessons learned from vulnerability research. This talk provides an overview of Heads, a demo of installing it on a Thinkpad, and a tour of the attacks that it protects against. Presented by Trammell Hudson.
When Bad Things Happen to Good Computers
We discuss the current state-of-the-art in the field of electromagnetic fault injection (EMFI) and our on-going research into the matter. We present motivational examples show-casing the potential capabilities of EMFI techniques against secure embedded hardware. We also discuss the draw-backs of traditional EMFI techniques and hard physical limitations of such techniques in its current incarnation. Lastly, we informally unveil our soon-to-be-open-sourced BadFET, a high-powered nano-second zero-recovery time multiple firing EMP system, and yes, it will probably kill you if you touched it. Presented by Ang Cui and Rick Housley of Red Balloon Security.
Be a Binary Rockstar: An Intro to Program Analysis with Binary Ninja
Many static analyses, such as LLVM passes, depend on the ability to compile source code and cannot operate on binaries. Binary Ninja offers a new Intermediate Language (IL) that makes running such analyses on binaries much easier. I will describe how to use the Binary Ninja IL to automatically discover memory corruption vulnerabilities in binary code, and introduce the concepts of variable analysis, abstract interpretation, and integer range analysis in the process. Presented by Sophia D’Antoine of Trail of Bits.
Shuffler: Fast and Deployable Continuous Code Re-Randomization
Just-In-Time ROP (JIT-ROP) techniques, where an attacker uses a memory disclosure vulnerability to discover code gadgets at runtime are particularly pernicious. We designed a code-reuse defense, called Shuffler, which continuously re-randomizes code locations on the order of milliseconds, introducing a real-time deadline on the attacker. Shuffler focuses on being fast, self-hosting, and nonintrusive to the end user. Evaluation shows that Shuffler defends against all known forms of code reuse, including ROP, direct JIT-ROP, indirect JIT-ROP, and Blind ROP. Presented by David Williams-King, a PhD student at Columbia University.
Differential Fuzzing with LLVM’s LibFuzzer
We extended libFuzzer to support differential fuzzing of applications of similar functionality (e.g., SSL libraries) and developed a set of new metrics to guide input generation, particularly retrofitted towards differential testing. We’ll be doing a demo of the engine and present some of the bugs we found. Presented by Theofilos Petsios and Adrian Tang, PhD candidates at Columbia University.
Firing Rounds at the Analysis Shooting Gallery
DARPA spent hundreds of thousands of my tax dollars creating small C and C++ programs that include exploitable software flaws. We took those programs, ported them to Linux and OS X, and used them as a shooting gallery for static and dynamic analysis tools. Let’s see where each tool excels and where each tool fails. Presented by Ryan Stortz, a principal security researcher at Trail of Bits.
Lots of new faces at our meeting last week with almost 100 total attendees. Here's some feedback we received: pic.twitter.com/jBtv9e3wzA— Empire Hacking (@EmpireHacking) October 17, 2016
ProtoFuzz: A Google Protocol Buffers Message Generator
Yan Ivnitskiy, a Principal Security Engineer at Trail of Bits, presented ProtoFuzz, a generic fuzzer for Google’s Protocol Buffers format. Instead of defining a new fuzzer generator for custom binary formats, protofuzz automatically creates a fuzzer based on the same format definition that programs use. ProtoFuzz is implemented as a stand-alone Python3 program.
Dash: A Web-based tool for Writing Shellcode
Pete Markowsky, a security researcher from NYC, presented Dash, a simple Python Flask-based web application for reading and writing assembly. Think of it as a REPL for various assembly languages. Dash explores how one might design an IDE for writing shellcode.
Algo: A 1-click IPSEC VPN in the Cloud
Dan Guido, CEO of Trail of Bits, presented Algo VPN, a set of Ansible scripts that simplifies the setup of an IPSEC VPN. It contains the most secure defaults available, works with common cloud providers, and does not require client software on most devices.
cool hacking meetup in NYC https://t.co/cpRKELA9p3 @dguido https://t.co/gUMFoyrEp7— Elissa Shevinsky (@ElissaBeth) August 13, 2016
Doorman: An OSQuery Fleet Manager
OSQuery turns operating system information into a format that can be queried using standard SQL-based statements. But once you’ve got that data, how do you search it? Until now, you’d have to engineer your own front-end management console. Enter Doorman. This simple web interface allows you to manage your entire fleet of OSQuery machines. In this Empire Hacking talk, Marcin Wielgoszewski, a security engineer, demonstrated how Doorman works, and answered questions about its deployment and use.
Tidas: Passwordless Auth with the Secure Enclave
Nick Esposito, a Senior Software Engineer at Trail of Bits, discussed the design of Tidas, a solution for password-free authentication for iOS software developers. Tidas takes advantage of our unique capability to generate and store ECC keys inside the Secure Enclave.
Beyond Corp: Lessons learned from 5 years of endpoint attestation
An increasingly mobile workforce and the ubiquity of attacks on client platforms limit the effectiveness of the traditional corporate network perimeter-security model. Beyond Corp is a broad effort to re-architect the delivery of Google corporate computing services, removing privileges granted solely on the basis of network address. The underlying architecture relies on a model of machine identity, authentication, and state-aware authorization to provide differential to services. August Huber, a data defender at Google, discussed the background of the work, general approach, challenges encountered, and future directions.
We just broke our pre-registration record (75 hackers)! Come see BeyondCorp, Tidas, and Doorman tomorrow @Spotify https://t.co/tlBDTOu5md— Empire Hacking (@EmpireHacking) June 6, 2016
Putting the Hype in Hypervisor
Brandon Falk, a software security researcher, operating system developer and fuzzing enthusiast, presented various ways of gathering code coverage information without binary modification and how to use code coverage to direct fuzzing.
Crypto Challenges and Fails
Ben Agre, a computer security consultant, distinguished successful crypto challenges from failures through the lens of challenges offered by RSA, Telegram, and several smaller examples.
Great week: Hanging out at the NCC NYC office, going to @EmpireHacking, and seeing David Gilmour at MSG tonight!— David Schuetz (@DarthNull) April 11, 2016
Reversing Engineering the Tytera MD380 2-way Radio
Travis Goodspeed, a neighbor, explained how the handheld digital radio used for the Digital Mobile Radio (DMR) protocol was jailbroken to allow for patching and firmware extraction, as well as the tricks used to patch the firmware for new features, such as promiscuous mode and a secondary application.
The Mobile Application Security Toolkit (MAST)
Sophia D’Antoine addressed the design of the Mobile Application Security Toolkit (MAST) which ties together jailbreak detection, anti-debugging, and anti-reversing in LLVM for protection of iOS applications.
not much worst than being in new york but not being able to attend @EmpireHacking . will have to catch the next one! #infosec @nysecsec— geminiimatt/'mateo' (@geminiimatt) February 10, 2016
Exploiting Out-of-Order Execution for Covert Cross-VM Communication
Sophia D’Antoine, one of our security engineers, demonstrated a novel side channel that exploits out-of-order execution to enable cross-VM communication.
Experiments building and visualizing hypergraphs of security data
Richard Lethin, President of Reservoir Labs, discussed data structures and algorithms that enable the representation and analysis of big data (such as security logs) as hypergraphs.
Packed house tonight! pic.twitter.com/wCDxoyW2zQ— Empire Hacking (@EmpireHacking) December 8, 2015
The PointsTo Use-After-Free Detector
Peter Goodman, our very own dynamic binary translator, presented the design of PointsTo, an LLVM-based static analysis system that automatically finds use-after-free vulnerabilities in large codebases.
Protecting Virtual Function Calls in COTS C++ Binaries
Aravind Prakash, an assistant professor in the Dept. of Computer Science at Binghamton University, showed how vfGuard protects virtual function calls in C++ from control subversion attacks.
Definitely enjoyed @EmpireHacking prog analysis talks tonight, thanks @dguido for making this happen! I'll be there next time with more Q's!— Julien Vanegue (@jvanegue) October 14, 2015
Exploiting the Nintendo 3DS
Luke Arntson, a hobbyist security researcher, reverse engineer, and hardware hacker, highlighted the origins of the Nintendo DS Profile exploit, the obfuscated Gateway browser exploit, and the payloads used by both.
Trail of Bits Cyber Grand Challenge (CGC) Demo
Ryan Stortz, one of our security engineers, described the high-level architecture of the system we built to fight and destroy insecure software as part of a DARPA competition, how well it worked, and difficulties we overcame during the development process.
OS X Malware
Jay Little, another of our security engineers, gave a code review of Hacking Team’s OS X kernel rootkit in just 10 minutes.
Loving this turbo talk on OS X Malware! Helpful & Jay Little = hilarious! launchd my new friend. @empirehacking pic.twitter.com/hpKsDtSmRf— geminiimatt/'mateo' (@geminiimatt) August 12, 2015
Offense at Scale
Chris Rohlf from Yahoo discussed the effects of scale on vulnerability research, fuzzing and real attack campaigns.
Automatically proving program termination (and more!)
Dr. Byron Cook, Professor of Computer Science at University College London, shared research advances that have led to practical tools for automatically proving program termination and related properties.
Cellular Baseband Exploitation
Nick DePetrillo, one of our principal security engineers, explored the challenges of reliable, large-scale cellular baseband exploitation.
"Halting problem? What halting problem?" Byron Cook at @EmpireHacking, basically.— Jan Schaumann (@jschauma) June 9, 2015