BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: Let's Dance in the Cache - Destabilizing Hash Table 
 on\n   Microsoft IIS\n   When: Friday\, Aug 12\, 17:00 - 17:45 PDT\n   Whe
 re: Caesars Forum - Academy 401-410\, 421 (Track 3) - [1]Map\n\n   Speaker
 Bio:Orange Tsai \, Principal Security Researcher of DEVCORE\n   Cheng-Da T
 sai\, aka Orange Tsai\, is the principal security researcher\n   of DEVCOR
 E and the core member of CHROOT security group in Taiwan. He\n   is also t
 he champion and got the "Master of Pwn" title in Pwn2Own\n   2021. In addi
 tion\, Orange has spoken at several top conferences such\n   as Black Hat 
 USA/ASIA\, DEF CON\, HITCON\, HITB GSEC/AMS\, CODE BLUE\, POC\,\n   and Wo
 oYun!\n\n   Currently\, Orange is a 0day researcher focusing on web/applic
 ation\n   security. His research got not only the Pwnie Awards winner for 
 "Best\n   Server-Side Bug" of 2019/2021 but also 1st place in "Top 10 Web\
 n   Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in\n
    his free time. He is enthusiastic about the RCE bugs and uncovered\n   
 RCEs in numerous vendors such as Twitter\, Facebook\, Uber\, Apple\,\n   G
 itHub\, Amazon\, etc. You can find him on Twitter @orange_8361 and blog\n 
   [2]http://blog.orange.tw/\n\n   Twitter: [3]@orange_8361\n\n   Descripti
 on:\n   Hash Table\, as the most fundamental Data Structure in Computer\n 
   Science\, is extensively applied in Software Architecture to store data\
 n   in an associative manner. However\, its architecture makes it prone to
 \n   Collision Attacks. To deal with this problem\, 25 years ago\, Microso
 ft\n   designed its own Dynamic Hashing algorithm and applied it everywher
 e\n   in IIS\, the Web Server from Microsoft\, to serve various data from 
 HTTP\n   Stack. As Hash Table is everywhere\, isn't the design from Micros
 oft\n   worth scrutinizing?\n\n   We dive into IIS internals through month
 s of Reverse-Engineering\n   efforts to examine both the Hash Table implem
 entation and the use of\n   Hash Table algorithms. Several types of attack
 s are proposed and\n   uncovered in our research\, including (1) A special
 ly designed\n   Zero-Hash Flooding Attack against Microsoft's self-impleme
 nted\n   algorithm. (2) A Cache Poisoning Attack based on the inconsistenc
 y\n   between Hash-Keys. (3) An unusual Authentication Bypass based on a\n
    hash collision.\n\n   By understanding this talk\, the audience won't b
 e surprised why we can\n   destabilize the Hash Table easily. The audience
  will also learn how we\n   explore the IIS internals and will be surprise
 d by our results. These\n   results could not only make a default installe
 d IIS Server hang with\n   100% CPU but also modify arbitrary HTTP respons
 es through crafted HTTP\n   request. Moreover\, we'll demonstrate how we b
 ypass the authentication\n   requirement with a single\, crafted password 
 by colliding the identity\n   cache!\n\n   '\n\n   1. https://defcon.outel
 .org/consolidated_page.html#CaesarsAcademyBR\n   2. http://blog.orange.tw/
 \n   3. https://twitter.com/orange_8361\n\n\n
DTEND:20220813T004500Z
DTSTART:20220813Z
LOCATION:DC - Caesars Forum - Academy 401-410\, 421 (Track 3)
SUMMARY:Let's Dance in the Cache - Destabilizing Hash Table on Microsoft II
 S
END:VEVENT
END:VCALENDAR