Talk/Event Schedule

Sunday

Sunday - 06:00 PDT

Sunday - 07:00 PDT

Sunday - 08:00 PDT

Sunday - 09:00 PDT

Sunday - 10:00 PDT

Sunday - 11:00 PDT

Sunday - 12:00 PDT

Sunday - 13:00 PDT

Sunday - 14:00 PDT

Sunday - 15:00 PDT

Sunday - 16:00 PDT

Sunday - 17:00 PDT

Talk/Event Descriptions

CON - Sunday - 10:00-11:59 PDT

This year, we are proud to introduce a brand new contest, designed to push your limits and awaken your curiosity.

The ? Cube Challenge is not for the faint-hearted. It is a multi-layered, complex puzzle that requires you to use all your hacking and analytical skills to solve it.

The cube is loaded with riddles and puzzles that must be solved one by one to progress further towards the ultimate goal.

This challenge is not just about solving a puzzle, it's about exploring your curiosity and pushing the boundaries of your knowledge.

It's about putting your hacker mindset to work and seeing how far you can go.

With each step, you'll be one step closer to unlocking the secrets of the ? Cube Challenge.We know that Defcon attendees are always looking for the next big challenge, and we have created the ? Cube Challenge with that in mind.

It is a contest that will test your limits, engage your creativity, and push your curiosity to the next level.So come and join us at Defcon 31 and take on the ultimate challenge! Who knows, you might just walk away with the title of ? Cub Champion and the admiration of your fellow hackers. Are you ready to take the challenge?

The above was totally written by ChatGPT. I don't want to give out too much information, but basically there is going to be a big cube like object that contestants will have to deconstruct to find the hidden awesomeness. I hope to have challenges spread across multiple domains, both online in a jeopardy style ctf as well as the physical puzzle of the cube which will be module in nature, with each physical puzzle tying to the next.

DC - Sunday - 12:00-12:45 PDT

He is responsible for research of malware campaigns, attack surfaces and vectors and evasion techniques. His findings are used for developing new analysis, detection, and mitigation capabilities.

Ron joined Deep Instinct in 2019 after serving as a security researcher and forensics specialist in one of the IDF’s elite cyber units.

Today, there are multiple offensive tools in the wild that can execute code as “NT AUTHORITY\SYSTEM” (Meterpreter, CobaltStrike, Potato tools), and they all usually do so by duplicating tokens and manipulating services in some way or another. This talk will show an evasive and undetected privilege escalation technique that abuses the Windows Filtering Platform (WFP). This platform processes network traffic and allow configuring filters that permit or block communication.

It is built-in component of the operating system since Windows Vista, and doesn’t require an installation. My research started from reverse-engineering a single RPC method in an OS service and ended with several techniques to abuse a system kernel component, that allow executing programs as “NT AUTHORITY\SYSTEM”, as well as other users that are logged on the the machine without triggering any traditional detection algorithms.

The various components of the Windows Filtering Platform will be analyzed, such as the Basic Filtering Engine, the TCPIP driver and the IPSec protocol, while focusing on how to abuse them and extract valuable data from them.

REFERENCES

• https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html
• https://scorpiosoftware.net/2022/12/25/introduction-to-the-windows-filtering-platform/
• https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-architecture-overview
• https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759130(v=ws.10)

CON - Sunday - 10:00-11:59 PDT

ASV - Sunday - 10:00-13:59 PDT

A-ISAC and Embry-Riddle Aeronautical University - Prescott

**Laptop Needed**

A variety of aviation infrastructure have been compromised. Immerse yourself into challenges where you are tasked with identifying attacks/attackers, stopping attacks, and restoring normal operations. As a participant your first step is to register ahead and read the rules at: https://aisac.cyberskyline.com/events/aisac-defcon and bring your own laptop to the venue. You can participate in the virtual challenges from Friday, but the more critical in-person challenges are only available at certain times during Village open hours!

PSV - Sunday - 13:00-13:59 PDT

DC - Sunday - 11:00-11:45 PDT

Bramwell is now an Assistant Professor of Computer Science at the University of Alabama in Huntsville; he previously was an Assistant Professor and the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab) at Dakota State University, specializing in vulnerability research, software exploitation, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. Bramwell has taught numerous undergraduate, graduate and doctoral level courses in software exploitation, reverse engineering, malware analysis and offensive security. Bramwell was a PI on a $300,000 NSA/NCAE research grant, which culminated in the release of a shellcode emulator, SHAREM, in September 2022. Bramwell has been a speaker at many top security conferences, including DEF CON, Hack in the Box Amsterdam, @Hack, Black Hat Middle East, Black Hat Asia, Black Hat Europe, Wild West Hackin’ Fest, and more.

Bypassing DEP via ROP is typically straightforward, using WinAPIs such as VirualProtect and VirtualAlloc. We demonstrate an alternative: using Windows syscalls. In fact, ROCKET provides automatic ROP chain construction to bypass ROP using Windows syscalls. While extremely trendy, Windows syscalls are only very rarely used in ROP.

One problem with automatic chain construction is bad chars or bad bytes. We demonstrate how ROCKET allows us to use virtulally any gadget whose address contains bad bytes. With this approach, automatic ROP chain construction is far less likely to fail. Thus, we overcome one of the major obstacles when creating a ROP chain: bad bytes, which reduces the attack surface needlessly. In fact, if one wanted, they could use ROCKET to "obfuscate" any gadget, obscuring what is being done.

This presentation will do the seemingly impossible - and surprise even veteran users of ROP.

REFERENCES:

1. Brizendine, B., Babcock, A.: A Novel Method for the Automatic Generation of JOP Chain Exploits. In: National Cyber Summit. pp. 77–92 (2021)
2. Min, J.W., Jung, S.M., Lee, D.Y., Chung, T.M.: Jump oriented programming on windows platform (on the x86). Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics). 7335 LNCS, 376–390 (2012). https://doi.org/10.1007/978-3-642-31137-6_29
3. Erdodi, L.: Attacking x86 windows binaries by jump oriented programming. INES 2013 - IEEE 17th Int. Conf. Intell. Eng. Syst. Proc. 333–338 (2013). https://doi.org/10.1109/INES.2013.6632837
4. Brizendine, B., Babcock, A.: Pre-built JOP Chains with the JOP ROCKET: Bypassing DEP without ROP. Black Hat Asia. (2021)
5. One, A.: Smashing the stack for fun and profit. Phrack Mag. 7, 14–16 (1996)
6. Designer, S.: “Return-to-libc” attack., https://seclists.org/bugtraq/1997/Aug/63
7. Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). Proc. ACM Conf. Comput. Commun. Secur. 552–561 (2007). https://doi.org/10.1145/1315245.1315313
8. Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-Oriented Programming : Systems , Languages , and Applications. ACM Trans. Inf. Syst. Secur. 15, 1–36 (2012)
9. Buchanan, E., Roemer, R., Savage, S., Shacham, H.: Return-oriented programming: Exploitation without code injection. Black Hat. 8, (2008)
10. PaX, T.: PaX address space layout randomization (ASLR). http//pax. grsecurity. net/docs/aslr. txt. (2003)
11. Mark E, R., Alex, I., others: Windows Internals, Part 2, (2012)
12. Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM conference on Computer and communications security. pp. 298–307 (2004)
13. Vreugdenhil, P.: Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit.
14. Gawlik, R., Holz, T.: ${$SoK$}$: Make ${$JIT-Spray$}$ Great Again. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18) (2018)
15. Göktas, E., Kollenda, B., Koppe, P., Bosman, E., Portokalidis, G., Holz, T., Bos, H., Giuffrida, C.: Position-independent code reuse: On the effectiveness of aslr in the absence of information disclosure. In: 2018 IEEE European Symposium on Security and Privacy (EuroS&P). pp. 227–242 (2018)
16. Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.R., Shacham, H., Winandy, M.: Return-oriented programming without returns. Proc. ACM Conf. Comput. Commun. Secur. 559–572 (2010). https://doi.org/10.1145/1866307.1866370
17. Bletsch, T., Jiang, X., Freeh, V.W.: Jump-oriented programming: a new class of code-reuse attack. Proc. 6th Int. Symp. Information, Comput. Commun. Secur. ASIACCS 2011. (2011)
18. Brizendine, B.: JOP ROCKET repository, https://github.com/Bw3ll/JOP_ROCKET/
19. Babcock, A.: IcoFX 2.6 - “.ico” Buffer Overflow SEH + DEP Bypass using JOP, https://www.exploit-db.com/exploits/49959
20. Specter: Sony Playstation 4 (PS4) 5.05 - BPF Double Free Kernel Exploit Writeup, https://www.exploit-db.com/exploits/45045
21. Brizendine, B., Babcock, A., Kramer, A.: Move Over, ROP: Towards a Practical Approach to Jump-Oriented Programming. HITBMag. 121–152 (2021)
22. Intel Corporation: Control-flow Enforcement Technology Preview, https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf
23. Schuster, F., Tendyck, T., Liebchen, C., Davi, L., Sadeghi, A.-R., Holz, T.: Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in C++ applications. In: 2015 IEEE Symposium on Security and Privacy. pp. 745–762 (2015)
24. Brizendine, B. Windows Syscalls in Shellcode: Advanced Techniques for Malicious Functionality. Hack in the Box Amsterdam (2023).

CON - Sunday - 10:00-11:59 PDT

Adversary Village is a community-driven initiative that prioritizes adversary simulation, emulation, breach and attack simulation, adversary tactics, offensive/adversary tradecraft, philosophy, and purple teaming.

Our objective is to establish a Capture the Flag competition dedicated to adversary simulation, purple teaming and knowledge sharing. Adversary Wars offers unique opportunities for “adversaries” aka participants to simulate attacks, explore new attack vectors, gain insights into threat actor profiles, master TTPs, and refine offensive tradecraft. With a range of adversary simulation exercises at different difficulty levels, this CTF promises real-world attack simulation scenarios and challenges.

Previous versions of the Adversary Wars CTF were hosted as part of Adversary Village, during DEF CON 29 and DEF CON 30. We are excited to be back at DEF CON as an official contest this year. Adversary Wars CTF will be located in the contest area for DEF CON 31.​

AIV - Sunday - 11:15-11:45 PDT

AIV - Sunday - 10:00-12:59 PDT

This exercise, first of its kind, will allow the best and brightest minds in the security industry to join diverse voices new and veteran to the AI scene in pursuit of making AI and machine learning safer.

TCV - Sunday - 10:30-10:59 PDT

APV - Sunday - 12:00-13:59 PDT

APV - Sunday - 11:45-12:30 PDT

The presentation will address key questions such as what Android pentesting is, how to set up an Android App pentest lab, and how to pentest an Android App and its APIs from start to finish.

Participants will leave the session with tips and resources for learning, practicing, and setting up a complete set of tools for Android application pentesting, including detailed examples on a purposefully vulnerable application. The goal is to equip attendees with the knowledge and skills necessary to conduct thorough and effective pentests of Android applications.

ASV - Sunday - 10:00-13:59 PDT

Boeing

**Laptop Needed**

Boeing will be hosting an ARINC 615a dataload CTF broken into two major modules. The first module will focus on decomposing and analyzing a PCAP capture of a simulated dataload between an airplane dataload server and an avionics component. The second module will allow participants to execute a dataload against simulated avionics to help improve understanding and awareness of how software is loaded onto airplanes. Additionally, Boeing is aiming to increase its cyber outreach into the STEM community by offering an additional challenge centered on an operational system and the impact of that system on the overall airplane. The challenge will walk participants through how the operational system functions, how it can be negatively impacted, the results of tampering with the system while it’s in flight, and how the system can secured via CIA and PKI.

RTV - Sunday - 09:00-10:59 PDT

ASV - Sunday - 10:00-13:59 PDT

AIAA

We have added a special feature to this year’s activities during DEF CON 31. This will be on Friday and Saturday from 11AM - 5PM.

Our friends at AIAA are helping us host “Ask Me Anything” sessions on Friday and Saturday. It’s an opportunity to meet Aerospace Village members and partners who are experts in the field. Bring your questions about getting into cybersecurity, aviation, space, likes/dislikes, you name it!

• A chance to ask all your questions, get their perspective, and hear some great stories.
• A low-key sharing of experiences and a way to make new friends without having to make small talk.
• Note: This is NOT a recruiting activity. Ask career questions if you have them, but think of this more as a chance for general "speed mentoring."

BHV - Sunday - 13:20-13:59 PDT

CON - Sunday - 10:00-11:59 PDT

The vulnerable network services will include real world vulnerable services where a competitor can adopt off the shelf proof-of-concepts vulnerabilities from an offensive security resource (ex: Metasploit Framework, exploit-db, packetstorm, etc…) into their bot to achieve access to said vulnerable services. Additionally, custom built vulnerable services informed by OWASP Top 10 security bugs as well as CVEs will influence challenge development resulting in a competitor to have the experience of reverse engineering new applications to identify vulnerabilities based on historically significant pain points in Software Engineering as well as infamous historical CVEs. Battle of The Bots will give competitors of all skill levels an opportunity to develop proof-of-concept exploits. Network services will be developed in a variety of compiled and interpreted languages with varying associated vulnerabilities and points. The variety of languages will provide opportunities for those less experienced with reverse engineering to analyze vulnerable Python code to find hidden API endpoints that lead to shell execution for example, rather than reverse engineer compiled binaries.

Finally, the BOTBs team will be capturing network traffic from the competition environment to later be shared with the wider community. The BOTBs team believes that this unique dataset of network service attacks can act as a unique resource for academic researchers, SOC analysts assessing their defenses and training events where having attack data for SIEM analysis. The data will be released under the Apache 2.0 License and hosted publicly on a yet to be determined platform.

BTV - Sunday - 12:45-13:45 PDT

Blue Team Village Closing Ceremony

BTV - Sunday - 10:00-10:45 PDT

Game session

ASV - Sunday - 10:00-13:59 PDT

Aerospace Village

Bricks in the Air is a hands-on demo to teach the basics of low level protocols seen in aviation. The demo uses the I2C protocol and does not reveal actual security vulnerabilities in avionics or other systems in aviation. The attendees are not required to have any prerequisite knowledge. No equipment is needed for attendees.

PHV - Sunday - 09:00-12:59 PDT

DC - Sunday - 11:00-11:45 PDT

Placing these items in context reveals a far more troubling picture.After reviewing the capabilities of Amezit and Scan-V, we can see glimpses of historical programs in the advertised efficacy of these projects. We will consider other items that have leaked over the years offering similar capabilities, albeit in different circumstances.Examples include Russia’s SORM framework for domestic operations,China’s Great Firewall and (more significantly) Great Cannon programs, and items that emerged in the Snowden leaks such as the US’s alleged “Quantum” program.

By analyzing these additional projects, we will observe a decade’s long trend in the systematization and scaling of cyber programs, especially with respect to automated exploitation and infrastructure management. Vulkan and related items, as significant as they are, represent a culmination of operational evolution and an example of the proliferation of capabilities following disclosure. With programs such as Scan-V exposed, we should anticipate other entities seeking to mirror such capabilities, progressing beyond botnets and other distributed systems to effective management of dispersed capabilities for signals intelligence and cyber operations.

REFERENCES

- https://www.spiegel.de/thema/vulkanfiles/?d=1680188834 - https://www.spiegel.de/international/world/the-vulkan-files-a-look-inside-putin-s-secret-plans-for-cyber-warfare-a-4324e76f-cb20-4312-96c8-1101c5655236 - https://www.theguardian.com/technology/2023/mar/30/vulkan-files-leak-reveals-putins-global-and-domestic-cyberwarfare-tactics - https://citizenlab.ca/2015/04/chinas-great-cannon/ - https://resources.infosecinstitute.com/topic/turbine-quantum-implants-arsenal-nsa/ - https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/ - https://www.wired.com/2014/03/quantum/ - https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm/

PSV - Sunday - 14:00-14:30 PDT

PSV - Sunday - 14:30-14:59 PDT

CLV - Sunday - 10:00-10:40 PDT

In this presentation, I'll explain the common cause of the GCR misconfiguration and how other GCP service defaults can widen the exposure. We'll also discuss our scanner's approach in narrowing down potential target projects and avoiding GCP abuse mitigation. Finally, we'll go over the common mistakes I found in image builds and applications that allowed simple image exposure to cascade into privilege escalation and direct production system access.

CON - Sunday - 10:00-12:59 PDT

CON - Sunday - 10:00-11:59 PDT

With the largest collection of hackers in one area, there's no better way to understand the security state of an industry without bringing it to security professionals to break. Over the past 9 years, the Car Hacking Village has been the focal point of interest for new hackers entering the automotive industry to learn, be a part of and actually test out automotive technologies. Our contest at the village, in combination with many automotive OEMs, Suppliers, etc., is used to give people first hand experience on cutting edge and at times expensive technologies. We plan to use this event to keep drawing attention to the automotive security industry through hands-on challenges.

DC - Sunday - 10:00-10:45 PDT

Using the above framework, our international experiments in commercial networks revealed exploitable inconsistencies in traffic metering, leading to multiple data "phreaking" opportunities ("free-ride"). We also expose problematic IPv6 firewall configurations, hidden SIM card communication to the home network, and fingerprint dial progress tones to track victims across different roaming networks and countries with voice calls.

REFERENCES:

Gabriel K. Gegenhuber, Wilfried Mayer, and Edgar Weippl. Zero-Rating, One Big Mess: Analyzing Differential Pricing Practices of European MNOs. In IEEE Global Communications Conference (GLOBECOM), 2022 Gabriel K. Gegenhuber, Wilfried Mayer, Edgar Weippl, Adrian Dabrowski. MobileAtlas: Geographically Decoupled Measurements in Cellular Networks for Security and Privacy Research., 2023, In proceedings of the 32th USENIX Security Symposium 2023. David Allen Burgess. What is AT&T doing at 1111340002? Welcome to the magical world of proac-tive SIMs., 2021. https://medium.com/telecom-expert/what-is-at-t-doing-at-1111340002-c418876c212c David Allen Burgess. More Proactive SIMs., 2021. https://medium.com/telecom-expert/more-proactive-sims-f8da2ef8b189 OSMOCOM. Simtrace 2. https://osmocom.org/projects/simtrace2/wiki osmocom.org. pySim-prog - Utility for programmable SIM/USIM-Cards. https://osmocom.org/projects/pysim/wiki The MONROE Alliance. Measuring Mobile Broadband Networks in Europe. https://www.monroe-project.eu

CON - Sunday - 10:00-11:59 PDT

Our CTF is a three days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

CON - Sunday - 10:00-11:59 PDT

Learn to see web applications and services from an attacker's perspective. CMD+CTRL is a hacking game designed to teach the fundamentals of web application security. Explore vulnerable web applications, discover security flaws, and exploit those flaws to earn points and climb up the scoreboard. After attacking an application for yourself, you'll have a better understanding of the vulnerabilities that put real applications at risk - and you'll be better prepared to find and fix those vulnerabilities in your own code.

At DEF CON 31: We will be debuting our latest Cyber Range, which focuses on exploiting a modern health record management system, dubbed ShadowHealth. Inspired by the latest trends and real world exploits, try your hands exploiting: SSRF, Log4Shell, reverse engineering, local privilege escalation, password cracking, XXS, and so much more! With over 35 challenges do you think you can complete them all?

CMD+CTRL will have two different games happening: free play, and the competition. Both require a code to join, and the best way to get a code is to go to the CMD+CTRL booth in the contest area. Codes to join free play may be given in Discord, on Thursday. Questions and such will also only be answered at the booth; Discord will not be staffed this year, aside from free play codes on Thursday. Once you have a code, you can play online, from anywhere -- you do not have to be in the contest area.

CLV - Sunday - 12:40-13:10 PDT

CNAPPGoat supports modular deployment of various vulnerable environments and is a multi-cloud tool. CNAPPGoat is built on Pulumi and supports multiple programming languages. It operates as a CLI tool, requiring no specific IaC expertise, enabling a wide range of professionals to deploy and monitor environments.

The tool enables defenders to test detection, prevention, and control mechanisms against vulnerabilities and misconfigurations, while aiding offensive professionals by providing practice environments. Demonstrations will include tool showcasing, deployment and remediation of a scenario, practical exploitation for learning, and guidance on building modules to customize CNAPPGoat.

SEV - Sunday - 10:00-11:30 PDT

This is on a first-come, first-served basis. Please see the "More Information" link.

DC - Sunday - 10:00-13:59 PDT

DC - Sunday - 14:00-15:15 PDT

Black Badge (UBER) Winners will be announced at the DEF CON Closing ceremonies & awards, immediately following this session.

CPV - Sunday - 10:00-10:05 PDT

CON - Sunday - 10:00-11:59 PDT

We're preparing hashes from easy to hard, so there'll be something for you if you want to compete casually as a Street team, or go all out in Pro.

Where we're going, we don't need roads. Purely a penchant for puzzles, perhaps a plethora of processors.

Check out past years' contests at https://contest.korelogic.com/ , and the Password Village at https://passwordvillage.org/

IOTV - Sunday - 10:00-13:59 PDT

Bring a laptop, your favorite intercepting proxy, and a lot of caffeine.

CON - Sunday - 10:00-11:59 PDT

SOC - Sunday - 12:00-13:59 PDT

DC - Sunday - 15:30-17:30 PDT

CON - Sunday - 10:00-11:59 PDT

Come visit the DEF CON Scavenger Hunt table in the contest area and get a list, register your team of 1 to 5 players, and gather or accomplish as many items from the list as you can. Items are submitted at the table, better than average submissions shall be awarded bonus points. The team who turns in the most points by Sunday at noon will win the admiration of your like-minded peers.

The DEF CON Scavenger Hunt is one of the longest running contests at DEF CON, visit https://defconscavhunt.com for a history lesson.

If you capture pictures or video of items from our list, or have in the past, please send them to us via email scavlist@gmail.com.

--

The scavenger hunt list is open to interpretation and we are not responsible for how list items are interpreted. We have had a number of pre-teens and teenagers play the scavenger hunt over the years, primarily with their parents but occasionally alone. The team that won at DC24 included a teenager with their parents. Parental Guidance Recommended.

CON - Sunday - 10:00-11:59 PDT

--

Rated PG-13.

MISC - Sunday - 06:00-11:59 PDT

Defcon.run is an evolution of the now long running Defcon 4x5K running event. But now it's bigger and more fun! Due to stupendous growth, we’ve been forced to change up the format. This year's activity will look to match up folks for fun runs, and rucks (!), in smaller distributed groups around Las Vegas. It’s the same old event but at a distributed scale! Show up in the morning to beat the heat, go for a run with folks, have a good time!

We’ll have a full set of routes for people to choose from from simple 5Ks to more ambitious distances.

You can register to log your distance, we'll have a leader board, and shenanigans! Full Information at https://defcon.run

Interested parties should rally at Harrah's Goldfield at 06:00, but be sure to check [defcon.run](https://defcon.run) for any updates.

PSV - Sunday - 11:30-11:59 PDT

CON - Sunday - 10:00-13:59 PDT

The Embedded CTF contest is an exciting opportunity to explore the intricacies of these systems and test your skills in a competitive environment. Contestants are challenged to find vulnerabilities in the firmware or hardware and exploit them to gain access or control over the device. The contest offers a unique opportunity to explore embedded devices' inner workings and understand their design's security implications.

New devices will be dramatically introduced at set intervals throughout the competition, and point values will decrease over time. This keeps contestants guessing and on their toes, forcing them to adapt and use their skills to tackle new challenges. It also offers a chance to learn about different types of devices and how they function, broadening participants' knowledge and experience.

By participating in the contest, teams of up to 6 contestants can develop a deep understanding of how these systems operate and how to secure them against potential attacks. Additionally, the contest encourages participants to think outside the box and approach problems creatively, honing their problem-solving skills.

With the increasing integration of technology in our daily lives, embedded devices are becoming more ubiquitous. Whether you're a seasoned security professional or just starting in the field, this contest offers a chance to learn, test your skills, and have fun in a dynamic and competitive environment.

IOTV - Sunday - 10:00-13:59 PDT

ESV - Sunday - 10:00-13:59 PDT

**Embedded CTF**
An approachable yet challenging CTF competition with a wide range of embedded devices and attacks.

Categories include:

• Physical
• Network
• RF
• Mobile (Powered by Corellium)
• Firmware
• Badge - custom challenges built into the ESV badge

**101 Labs**
A series of computer-based workshops that will guide you through the basics of hacking embedded devices. From extracting and analyzing firmware, exploiting command injections and more, these labs will introduce even the most noob to the world of embedded device hacking.

**Hands-on Hardware Hacking**
We've raided our local thrift stores and electronics recyclers and brought a whole bunch of embedded systems for you to try out the ESV badge on. Come pull memory chips off PCBs, dump memory, connect to UART consoles, and see what was left behind on these devices!

**LoRA Labs**
A hands-on and interactive lab using LoRa gateways where you will discover the noisy 915 MHz radio spectrum world.

APV - Sunday - 10:00-11:59 PDT

ReactJS, a prominent framework in today's tech landscape, has taken strides to mitigate such threats, offering automatic defenses against Cross-Site Scripting. However, building secure ReactJS applications requires in-depth knowledge and specialized expertise.

In this presentation, we will delve into the realm of general-purpose Cross-Site Scripting defense and various client-side security strategies within the ReactJS framework. ReactJS developers of all levels are invited to join us as we explore advanced techniques and practical recommendations that can elevate your approach to ReactJS security.

Our discussion will cover several important topics:

• Understanding the React Component Attack Surface
• Handling Unescaped Props and Types
• Exploring the Use of dangerouslySetInnerHTML
• Properly Handling JavaScript URLs in the React Context
• Integrating CSS Styled-Components with React
• Navigating JSON Embedding and React
• Unraveling React's Automatic Defenses
• Mastering Manual Defense Techniques in React
• Understanding React Lazy Loading and Access Control
• Investigating React Template Injection
• Exploring Server-side Rendering in React

Join us for an informative session that aims to enhance your skill set and bolster your defense strategies for creating more secure ReactJS applications. Let's navigate the intricacies of ReactJS security together, empowering ourselves with advanced defense techniques to foster a secure environment for application development.

DC - Sunday - 10:00-13:59 PDT

DC - Sunday - 13:00-13:45 PDT

Since he started learning cybersecurity he has tried to share his knowledge with the infosec community by publishing open source tools such as https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite and writing a free hacking book that anyone can consult at https://book.hacktricks.xyz.

We will begin by providing an overview of the unique challenges faced in these limited environments and discuss the reasons behind their increasing prevalence. Next, we will explore how attackers can exploit vulnerabilities within these constraints and demonstrate several novel methods for manipulating Linux memory.

Throughout the presentation, we will showcase real-world examples and provide step-by-step explanations for each technique, enabling attendees to gain a deeper understanding of how they can be employed by adversaries. Additionally, we will discuss potential countermeasures and mitigation strategies to help security professionals better defend against these emerging threats.

By attending this presentation, participants will gain valuable insights into the latest advancements in Linux memory manipulation and acquire the knowledge needed to anticipate and counter stealthy attacks in constrained environments. Whether you are a security researcher, a system administrator, or an ethical hacker, this session will equip you with the expertise necessary to stay ahead of the curve in the ever-evolving world of cybersecurity.

REFERENCES

Most of the parts of the developed technique for this presentation is just based on our knowledge and experience. However, it's true that some previous research was done in this topic by sektor7 in https://blog.sektor7.net/#!res/2020/meterp-inject-yt.md and David Buchanan in https://twitter.com/David3141593/status/1386663070991360001

APV - Sunday - 12:00-13:59 PDT

PHV - Sunday - 09:00-12:59 PDT

PSV - Sunday - 12:30-12:59 PDT

CON - Sunday - 11:00-13:59 PDT

SOC - Sunday - 12:00-12:59 PDT

Friday
12:00-13:00
17:00-18:00

Saturday
12:00-13:00
17:00-18:00

Sunday
12:00 -13:00

AIV - Sunday - 10:00-10:25 PDT

1. Black-Box Compatibility: Unlike gradient-based methods, which typically require access to the model's internal parameters, fuzzing and symbolic execution can be applied to black-box models where such information is unavailable.
2. Different Error Detection: These methods can uncover a different set of potential issues that may not be readily discovered or expressed using gradient-based techniques, such as floating point errors, numerical instabilities, and discrepancies between quantized and unquantized models.

AIV - Sunday - 10:45-11:30 PDT

ASV - Sunday - 10:00-13:59 PDT

IntelliGenesis and IG Labs

IG Labs will be bringing our Runway Lighting System in a box as part of our Hack The Airport CTF. Participants will be able to attempt to get hands on with practical OT and IT cyber security environment in a mobile converged environment with real-world hardware and protocols.

CON - Sunday - 12:00-13:30 PDT

ASV - Sunday - 12:00-12:50 PDT

MIV - Sunday - 10:00-11:30 PDT

SOC - Sunday - 12:00-13:59 PDT

Please send photos of our fallen hacker comrades to [defconmemorial@protonmail.com](mailto:defconmemorial@protonmail.com), to be printed and displayed on the memorial wall here at DEF CON.

APV - Sunday - 10:15-10:59 PDT

This presentation results from detailed research on the topic where the author investigated abuse case scenarios, such as how attackers leveraged this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which is technically not allowed via traditional means. Ultimately, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. Finally, we'll demonstrate how easy creating and publishing a fake GitHub Action on the GitHub Marketplace is. And if used unwillingly by other projects, it can compromise the victim's Runners to act as bots, target other victims, and even be used in supply-chain attacks by tampering with the result of the pipeline or even creating a botnet of crypto miners inside Azure.

ASV - Sunday - 13:00-13:50 PDT

RTV - Sunday - 11:00-11:59 PDT

CON - Sunday - 10:00-11:59 PDT

Expanded this year with increased difficulty each day. Friday: Foxes in a small area, non moving Saturday: Foxes in a larger area, with one moving. Sunday: Foxes are on the move. The hunt is on!

There will also be a beginner friendly, no radio required, Infrared LED Fox Hunt running everyday which participants can use their cameras on their phones to find!

--

We have had many kids participate and complete the contest over the years... and they've all had a blast doing so.

PLV - Sunday - 11:00-11:50 PDT

Kurt Opsahl will be your most masterful and hungover Trivia Master, joined by three surprise judges.

CON - Sunday - 10:00-11:59 PDT

Heat up your soldering iron and freshen the batteries in your multimeter! The Hardware Hacking Village (HHV) is hosting their first official DEF CON Capture the Flag (CTF). This is a jeopardy style CTF, designed to challenge participants in various aspects of hardware hacking. Whether you're new to hardware hacking or experienced and just looking for something to do while you wait for your fault injection to trigger, all are welcome and challenges range from beginner to advanced.

IOTV - Sunday - 10:00-13:59 PDT

CON - Sunday - 09:00-12:59 PDT

SOC - Sunday - 12:00-13:59 PDT

SOC - Sunday - 12:00-13:59 PDT

PHV - Sunday - 09:00-12:59 PDT

CPV - Sunday - 13:00-13:45 PDT

APV - Sunday - 12:00-13:59 PDT

RTV - Sunday - 09:00-09:59 PDT

DC - Sunday - 10:00-13:59 PDT

• These notes apply to human registration only. You are a human if you are not a goon, official speaker, village staff, press, black badge holder, or similar. (If you are one of those, you need to register separately. If you don't know how, see an NFO goon (infobooth).)
• Badges are required for everyone ages 8 and older.
• If you pre-registered, please ensure that your QR code is readily accessible. If you will be presenting it on a smartphone, please ensure that your display is set to maximum brightness as you near the front of the line.
• If you did not pre-register, all badge sales are CASH ONLY! No checks, money orders, credit cards, IOUs, or anything else will be accepted. Please have exact change ready as you near the front of the line.
• To reiterate, **please have exact change ready**.
• If you purchase a DEF CON badge from BlackHat, please get your badge from BlackHat before they close.
• If you lose your badge, there is no way for us to replace it. You'll have to buy a replacement at full price.
• If you are being accompanied by a full-time caretaker (such as someone who will push your wheelchair, and will accompany you at all times), please ask to speak to a Registration Goon. Your caretaker will receive a paper badge that will permit them to accompany you everywhere you go.
• A generic receipt for the cash sale of a badge will be made available on media.defcon.org after the conference. You are welcome to print your own copy of the receipt, if you need a receipt. Printed receipts are not available at the time of purchase.
• Please help us make this a great experience for everyone: **follow directions given by goons** and get in the correct line. Note that there may be one line for all of registration, or there may be two lines (pre-registration vs cash) -- this may change over time, based on available staffing and necessary crowd control.
• Please be patient. The time listed here for the beginning of registration is approximate. We will begin processing the line on Thursday morning as soon as the cashiers and materials are in place; this may be earlier or later than the scheduled time.
• There are no refunds given for cash sales. If you have any doubt, do not buy the badge.
• If you have questions about anything regarding registration, that are not addressed here, please ask to speak to a Registration Goon.

APV - Sunday - 10:00-11:59 PDT

ICSV - Sunday - 11:30-11:59 PDT

CPV - Sunday - 10:30-10:45 PDT

LPV - Sunday - 10:15-10:45 PDT

LPV - Sunday - 13:00-13:30 PDT

RTV - Sunday - 10:00-10:59 PDT

CON - Sunday - 10:00-13:59 PDT

This CTF is open to anyone! It is approachable for entry level people to experience getting their first root shell on IoT, but to really advance in this CTF teams will need to perform detailed vulnerability research, hardware hacking, firmware analysis, reverse engineering, and limited exploit development.

CTFs are a great experience to learn more about security and test your skills, and the IoT CTF provides the most realistic hacking experience around! So, join up in a team (or even by yourself) and compete for fun and prizes! Exploit as many as you can during the con and the top three teams will be rewarded.

IOTV - Sunday - 10:00-13:59 PDT

IOTV - Sunday - 10:00-13:59 PDT

ICSV - Sunday - 12:30-12:59 PDT

MISC - Sunday - 10:00-10:59 PDT

ICSV - Sunday - 10:00-10:30 PDT

MISC - Wednesday - 17:00-06:59 PDT

Doors open at 17:00 Wednesday. Registration will open and queue processing will begin at approximately 07:00 Thursday.

At all times, follow directions from on-duty goons -- linecon may need to be relocated into a different ballroom. The currently planned location is Caesars Forum, Rooms 101-103.

For purposes of clarity: Caesars Forum is not connected to Caesars Palace; it is connected to Harrah's and LINQ. Please see the published maps (in this app) for further information.

Please also review the "Human Registration Open" event, and familiarize yourself with the **important notes** therein.

PHV - Sunday - 09:00-12:59 PDT

DC - Sunday - 12:00-12:45 PDT

He is a urban cycling enthusiast that needs to wear his helmet more often, a techno and bass aficionado, and tree wizard.

Before finding vulnerabilities for a living he developed scientific computing software. See his Clojure-based Sequoia database fuzzer for an ideal representation of X's skill set and interests.

There are many valid criticisms of GPT models for writing code like the tendency to hallucinate functions, not being able to reason about architecture, training done on amateur code, limited context due to token length, and more. None of which are particularly important when writing fuzz tests. This presentation will delve into the integration of LLMs into fuzz testing, providing attendees with the insights and tools necessary to transform and automate their security assessment strategies.

The presentation will kick off with an introduction to LLMs; how they work, the potential use cases and challenges for hackers, prompt writing tips, and the deficiencies of current models. We will then provide a high level overview explaining the purpose, goals, and obstacles of fuzzing, why this research was undertaken, and why we chose to start with 'memory safe' Python. We will then explore efficient usage of LLMs for coding, and the primary benefits LLMs offer for security work, paving the way for a comprehensive understanding of how LLMs can automate tasks traditionally performed by humans in fuzz testing engagements.

We will then introduce FuzzForest, an open source tool that harnesses the power of LLMs to automatically write, fix, and triage fuzz tests on Python code. A thorough discussion on the workings of FuzzForest will follow, with a focus on the challenges faced during development and our solutions. The highlight of the talk will showcase the results of running the tool on the 20 most popular open-source Python libraries which resulted in identifying dozens of bugs.

We will end the talk with an analysis of efficacy and question if we'll all be replaced with a SecurityGPT model soon.

To maximize the benefits of this talk, attendees should possess a fundamental understanding of fuzz testing, programming languages, and basic AI concepts. However, a high-level refresher will be provided to ensure a smooth experience for all participants.

REFERENCES

My original blog post that sparked the idea: https://infiniteforest.org/LLMs+to+Write+Fuzzers

Blogs

https://comby.dev/blog/2022/04/11/comby-decomposer-compiler-fuzzing https://martinfowler.com/articles/2023-chatgpt-xu-hao.html

Research Papers:
https://arxiv.org/abs/2212.14834
https://embed.cs.utah.edu/csmith/
https://www.usenix.org/system/files/sec23fall-prepub-446-fu.pdf

Tools

https://github.com/google/atheris https://github.com/mpaepper/llm_agents

Prompt Course:
https://www.deeplearning.ai/short-courses/chatgpt-prompt-engineering-for-developers/

LPV - Sunday - 10:00-13:59 PDT

Then come on by the Lockpick Village, run by The Open Organization Of Lockpickers, where you will have the opportunity to learn hands-on how the fundamental hardware of physical security operates and how it can be compromised.

The Lockpick Village is a physical security demonstration and participation area. Visitors can learn about the vulnerabilities of various locking devices, techniques used to exploit these vulnerabilities, and practice on locks of various levels of difficultly to try it themselves.

Experts will be on hand to demonstrate and plenty of trial locks, pick tools, and other devices will be available for you to handle. By exploring the faults and flaws in many popular lock designs, you can not only learn about the fun hobby of sport-picking, but also gain a much stronger knowledge about the best methods and practices for protecting your own property.

--

A popular spot for new lock pickers! Highly recommended you stop by. The Lockpick Village is always kid friendly and welcomes folks of all ages. We do require that the parents stay with the kids.

RTV - Sunday - 09:00-09:59 PDT

CON - Sunday - 10:00-11:59 PDT

QTV - Sunday - 10:00-10:59 PDT

MIV - Sunday - 11:30-11:59 PDT

XRV - Sunday - 11:00-11:59 PDT

HRV - Sunday - 12:00-12:30 PDT

PHV - Sunday - 09:00-12:59 PDT

CON - Sunday - 10:00-11:59 PDT

XRV - Sunday - 11:00-11:59 PDT

LPV - Sunday - 12:00-13:30 PDT

RTV - Sunday - 11:00-11:59 PDT

PHV - Sunday - 09:00-12:59 PDT

PHV - Sunday - 09:00-13:59 PDT

DC - Sunday - 14:00-15:15 PDT

REFERENCES:
https://www.cnet.com/tech/services-and-software/use-cnet-shopping-to-seek-out-the-best-deals/ https://www.steptoecyberblog.com/files/2012/11/ccmanual1.pdf https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/03/26/forensics_chart.pdf https://www.justice.gov/archives/opa/blog/important-court-opinion-holds-lawful-warrants-can-be-used-obtain-evidence-us-internet https://www.19thcircuitcourt.state.il.us/1610/Guide-to-Conducting-Mock-Trials

PHV - Sunday - 09:00-12:59 PDT

PWV - Sunday - 10:00-13:59 PDT

RTV - Sunday - 10:00-10:59 PDT

APV - Sunday - 10:00-11:59 PDT

Examples:
With Pasteur this classic sql injection code sql << pstr / "select email from demo.useremails where username = " + name + " and type=" + emailType; is automatically converted into a parameterized sql query

This os injection code
System(pstr / "ping " + hostname)
automatically sanitizes the hostname parameter.

See more at https://github.com/SecureFromScratch/pasteur

PYV - Sunday - 10:00-13:59 PDT

1. A CTF for which there is no equipment is required.
2. Card Hacking Challenge for which you will need an Android phone with NFC and a special Card Hacking Challenge card (grab one on the booth):
3. Easter egg hunt. Use your brain!

We have a tonne of cool prizes to be won, such as custom mugs, numbered challenge coins with atc numbers, key rings, embroidered patches and more!

IOTV - Sunday - 10:00-13:59 PDT

PSV - Sunday - 10:00-13:59 PDT

BTV - Sunday - 11:00-11:30 PDT

Project Obsidian panel discussion: Who, What, When, Where, and How

ASV - Sunday - 10:00-13:59 PDT

Pen Test Partners

Come try your hand at flying our immersive Airbus A320 simulator and see if you can stick our landing challenge! We'll also be talking about electronic flight bags, how their data integrity is relied upon by pilots to assist with a safe landing, and demonstrate the impacts in a safe environment.

PLV - Sunday - 10:00-10:50 PDT

QTV - Sunday - 12:00-12:59 PDT

QTV - Sunday - 11:00-11:59 PDT

CON - Sunday - 10:00-12:59 PDT

RF Hackers Sanctuary (the group formerly known as Wireless Village) is once again holding the Radio Frequency Capture the Flag (RFCTF) at DEF CON 31. RFHS runs this game to teach security concepts and to give people a safe and legal way to practice attacks against new and old wireless technologies.

We cater to both those who are new to radio communications as well as to those who have been playing for a long time. We are looking for inexperienced players on up to the SIGINT secret squirrels to play our games. The RFCTF can be played with a little knowledge, a pen tester’s determination, and $0 to $$$$$ worth of special equipment. Our new virtual RFCTF can be played completely remotely without needing any specialized equipment at all, just using your web browser! The key is to read the clues, determine the goal of each challenge, and have fun learning.

There will be clues everywhere, and we will provide periodic updates via discord and twitter. Make sure you pay attention to what’s happening at the RFCTF desk, #rfctf on our discord, on Twitter @rf_ctf, @rfhackers, and the interwebz, etc. If you have a question - ASK! We may or may not answer, at our discretion.

FOR THE NEW FOLKS

Our virtual RFCTF environment is played remotely over ssh or through a web browser. It may help to have additional tools installed on your local machine, but it is not required.

Read the presentations at: https://rfhackers.com/resources

Hybrid Fun

For DEF CON 31 we will be running in “Hybrid” mode. That means we will have both a physical presence AND the virtual game running simultaneously. All of the challenges we have perfected in the last 2 years in our virtual game will be up and running, available to anyone all over the world (including at the conference), entirely free. In addition to the virtual challenges, we will also have a large number of “in person” only challenges, which do require valid conference admission. These “in-person” only challenges will include our traditional fox hunts, hide and seeks, and king of the hill challenges. Additionally, we will have many challenges which we simply haven’t had time or ability to virtualize. Playing only the virtual game will severely limit the maximum available points which you can score, therefore don’t expect to place. If you play virtual only, consider the game an opportunity to learn, practice, hone your skills, and still get on the scoreboard for bragging rights. The virtual challenges which are available will have the same flags as the in-person challenges, allowing physical attendees the choice of hacking those challenges using either (or both) methods of access.

THE GAME

To score you will need to submit flags which will range from decoding transmissions in the spectrum, passphrases used to gain access to wireless access points, or even files located on servers. Once you capture the flag, submit it to the scoreboard right away, if you are confident it is correct. Flags will be worth less points the more often they are solved. Offense and defense are fully in play by the participants, the RFCTF organizers, and the Conference itself. Play nice, and we might also play nice.

Getting started guide: https://github.com/rfhs/rfhs-wiki/wiki

Helpful files (in-brief, wordlist, resources) can be found at https://github.com/rfhs/rfctf-files

Support tickets may be opened at https://github.com/rfhs/rfctf-support/issues

Our whole game is also open source and available at: https://github.com/rfhs/rfctf-container

RTV - Sunday - 09:00-10:59 PDT

CON - Sunday - 10:00-11:59 PDT

The contest would house actual ICS (Industrial Control System) devices from various vendors on a testbed showcasing different sectors of critical infrastructure. The participants would be able to view and engage with the devices in real time and understand how each of them control each of the aspects of the testbed and leverage this to compromise the devices.

Red Alert ICS CTF is back with a ton of fun challenges after successfully running the CTF at DEF CON 30, DEF CON 29, DEF CON 27 and DEF CON 26 (Black Badge).

Highlights of the previous Red Alert ICS CTF is available at: https://www.youtube.com/watch?v=dz7hNnavHaY and https://youtu.be/AanKdrrQ0u0

CON - Sunday - 10:00-11:59 PDT

The Red Team CTF is designed to simulate real-world scenarios in which attackers attempt to penetrate the security of a network or system. Participants are expected to use a wide range of hacking techniques, tools, and skills to identify and exploit vulnerabilities in the target network.

Teams are typically composed of experienced hackers, penetration testers, and security researchers who have a deep understanding of the latest cybersecurity threats and attack techniques. They must work together to uncover and exploit vulnerabilities in the target network, while also evading detection and countermeasures put in place by the Blue Team.

The Red Team CTF at DEFCON is considered one of the most challenging and prestigious CTF competitions in the world, with participants coming from all over the globe to compete. It is a high-pressure, high-stakes event that tests the limits of participants' technical and strategic abilities, and offers a unique opportunity to showcase their skills and knowledge in front of a global audience of Hackers.

PHV - Sunday - 09:00-12:59 PDT

DC - Sunday - 12:00-12:45 PDT

In this talk, Wesley will discuss the setup of a complete environment for hacking software for the Commodore Amiga line of computers, a 16/32 bit computing platform of the late 80s and early 90s (not to mention a dedicated following of users and software today). He will describe the hardware environment, OS architecture, and the practically endless library of software that can be used as interesting targets of research. On-system development and debugging software will be described, as well as using the modern Ghidra disassembler. A case study of identifying and exploiting a vulnerability in a 1994 vintage FTP client will be discussed in technical detail.

REFERENCES

• Vintage Computing preservation
  • https://www.tosecdev.org/ - TOSEC catalogs all known software and documentation for many vintage computing platforms
  • https://archive.org/ - Hosts tremendous archives of vintage documentation, magazines, software, etc
    • Books (largely available on archive.org)
  • The AmigaDOS Manual, 3rd Edition
  • Lance Leventhal - 68000 Assembly Language Programming, Second Edition
  • M68000 Programmer's Reference Manual
  • Amiga ROM Kernel Reference Manual, 3rd Edition, Volumes:
    • Libraries
    • Devices
    • Hardware Reference Manual
  • Devpac 3 for the Amiga - User Manual
  • SAS/C Development System User's Guide (vol. 1 & 2)
    • Development Kit Documentation
  • Amiga OS NDK 3.2 - https://www.hyperion-entertainment.com/index.php/downloads?view=files&parent=40
  • Amiga Developer CD 1.2 (1998, available on archive.org)
    • Previous talks that involved vintage computing
  • DC30 - Tristan Miller - Reversing the Original Xbox Live

    Protocols

  • DC30 - Cesare Pizzi - Old Malware, New tools: Ghidra and

    Commodore 64

TCV - Sunday - 10:00-10:30 PDT

HHV - Sunday - 10:00-12:59 PDT

LPV - Sunday - 11:00-11:59 PDT

APV - Sunday - 13:15-13:59 PDT

APV - Sunday - 10:00-11:59 PDT

APV - Sunday - 12:00-13:59 PDT

(Some coding experience in either C#, Java, Python or C++ required. You need to know loops, if, arrays and functions).

IOTV - Sunday - 10:00-13:59 PDT

CLV - Sunday - 11:20-11:59 PDT

Building the infrastructure to do this however can easily become very expensive and there are some big trade-offs to consider when building a security logging pipeline.

This talk will explain the different logging patterns that you can find in public clouds like AWS, GCP and Azure and the pitfalls and experience from building and rebuilding the security logging at different scale levels.

This talk should give any attendees protecting a company with a big cloud exposure valuable insights that could be applied to building a new security logging function and also how to improve their current security pipelines.

SEV - Sunday - 12:00-13:30 PDT

SEV - Sunday - 10:00-10:59 PDT

Please see the "More Information" link.

SEV - Sunday - 10:00-13:59 PDT

DC - Sunday - 09:00-15:30 PDT

So, what's the S.O.D.A. Machine all about?

Picture this:

You're at DEF CON, thirsty for some hacking. You're looking for a virtual machine (VM) to play with but don't want to be chained to your laptop.

Enter the Shell On Demand Appliance:

This heavily modified VM is your gateway to an anonymous VM, available in the Chillout Lounge and accessible over the DEF CON network.

A fusion of hardware, software, art, and hacking, all encapsulated in a project derived from recycled materials. The S.O.D.A. Machine provides a way for Humans to experience the DEF CON network in a way the secure WiFi won't allow, because the datacenter is inside the S.O.D.A. Machine and directly connected to the NOC.

Simply insert cash or coins into the bill or coin acceptor to get started. The lights on the buttons will change color depending on availibility.

A green light means the VM is available and ready.

An amber light requests the user to insert more money to ensure fair distribution according to current resources.

A red light denotes the selection is unavailable.

Once you make a selection, the system will deploy the VM to the network and a receipt will be printed.

On the receipt, login credentials are provided for you to access your virtual machine via remote shell. You are then able to change the password, install whatever tools and applications you need, making the VM your own.

What you do with the VM is up to you. Should you choose to share your virtual machine with someone outside of the DEF CON network, a Tor address is provided as well.

All proceeds go to the National Upcycled Computing Collective, Inc., a 501(c)(3) nonprofit organization helping further research and education in computer science, technology and engineering as an (NTEE U41) Research Institute.

We accept donations: https://www.paypal.com/paypalme/NUCC

DC - Sunday - 10:00-10:20 PDT

REFERENCES

Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol Freqy DEFCON 29 RF Village - "Basics of Breaking BLE" Handoff All Your Privacy – A Review of Apple’s Bluetooth Low Energy Continuity Protocol DEF CON 26 - Damien virtualabs Cauquil - You had better secure your BLE devices Mike Spicer - I Know What U Did Last Summer 3 Yrs Wireless Monitoring DEFCON - DEF CON 27 Conference

HHV - Sunday - 10:00-12:59 PDT

DC - Sunday - 10:00-10:45 PDT

In this talk, we present two novel approaches, "Full Moon" and "Half Moon," for tampering with call stacks in a manner that is both opaque and difficult to detect. These techniques manipulate the call stack to produce unwinding or logically valid stacks, thwarting conventional detection methods.

We also introduce a detection algorithm, Eclipse, designed to identify instances of these tampering techniques. This algorithm extends the functionality of RtlVirtualUnwind to perform strict checks on specific instructions and call sequences, enabling the detection of tampered call stacks. We evaluate the efficacy of Eclipse against both Full Moon and Half Moon techniques and discuss its performance and limitations.

Additionally, we explore the possibility of combining these techniques to create an even more robust method for call stack tampering that is resistant to detection. Our study contributes to the growing body of knowledge in the field of call stack tampering and detection and provides valuable insights for researchers and security professionals aiming to mitigate such threats.

REFERENCES

namazso. 2019. x64 return address spoofing (source + explanation). UnKnoWnCheaTs - Multiplayer Game Hacking and Cheats. Retrieved April 4, 2023 from https://www.unknowncheats.me/forum/anti-cheat-bypass/268039-x64-return-address-spoofing-source-explanation.html Mariusz Banach. 2023. Thread Stack Spoofing / Call Stack Spoofing PoC. Retrieved April 3, 2023 from https://github.com/mgeeky/ThreadStackSpoofer William Burgess. Behind the Mask: Spoofing Call Stacks Dynamically with Timers | Cobalt Strike Blog. Fortra. Retrieved April 3, 2023 from https://www.cobaltstrike.com/blog/behind-the-mask-spoofing-call-stacks-dynamically-with-timers/ William Burgess. Spoofing Call Stacks To Confuse EDRs. Retrieved April 4, 2023 from https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs Microsoft Corp. 2021. x64 prolog and epilog. Retrieved April 3, 2023 from https://learn.microsoft.com/en-us/cpp/build/prolog-and-epilog Microsoft Corp. 2022. x64 exception handling. Retrieved April 3, 2023 from https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64 CodeMachine. 2021. x64 Deep Dive. Retrieved April 3, 2023 from https://www.codemachine.com/article_x64deepdive.html

RTV - Sunday - 11:00-11:59 PDT

BHV - Sunday - 10:00-12:20 PDT

CLV - Sunday - 10:40-11:20 PDT

In this talk, we will explore Service Tags in Azure, a common method for modern organisations to use pre-defined network ranges to be allow-listed for inbound and outbound network traffic. Although a useful means to simplify configuration to allow service-to-service communication, its usage can lead to unintentional cross-tenant access to Azure resources. The aim of the talk is to highlight several novel methods by which attackers can get access to a corporate environment. These will range from:

• Accessing internal resources via an attacker controlled VM in a different tenant
• Abusing Azure Logic Apps functionality to interact with internal APIs
• Using SaaS services such as Azure DevOps to modify pipelines within a misconfigured target organisation

Fundamentally, this is the service working as intended. Service Tags are supposed to cover Azure service network ranges and these do, by design, include other organisations' environments. The issue mostly lies in the lack of detailed documentation and the lack of awareness around the breadth of coverage, and the potential impact of these controls. Where documentation is available that highlights some of these components, it is inconsistent in outlining the risks and potential impact. Through our work at a consultancy, we have worked with a range of organisations from large enterprises to medium sized companies. Based on our observations, this is a common issue that is present in different production Azure environments.

Listeners of the talk will come out with an understanding of:

• Service Tags and their use cases
• Attack methods to take advantage of Service Tags
• Practical recommendations for Service Tag usage

CLV - Sunday - 12:00-12:40 PDT

Specifically, in AWS, we are talking about more than three hundred (300+) services that an attacker could have their specific attack path to achieve their goal. Considering that chaotic scenario and leading a Detection Engineering Team that monitors hundreds of customers, we developed new and innovative ways to improve customer detection in three paths:

First, the largest market for cloud security is associated with Cloud Security Posture Management (CSPM), a tool that monitors misconfigurations in cloud accounts. We converted the top 10 results based on the CSPM vendor's statistics reports. The findings are prioritized from informational to critical, helping to fix the misconfiguration and making the attacker path more difficult.

Second, we examined the standard tools' behavior and built detections based on those. In particular, PACU (comprehensive AWS security-testing toolkit designed for offensive security practitioners), Endgame, and Cloudfox. The main goal is to have tool-agnostic detections using a combination of them to better fit into the AWS scenario.

Third, and just as important, are uncommon paths that abuse services that are not commonly used or have enough research on it but could lead to data exfiltration, resource exposure, privilege escalation, and so on.

By the end of this talk, attendees will be able to acquire new detection ideas, improve their cloud security posture, and mitigate attack surfaces.

TEV - Sunday - 10:00-13:59 PDT

CON - Sunday - 10:00-11:59 PDT

--

Rated PG-13. It's a level of challenge that is probably most suited to high school students and up, but anyone can play and we try to make it fun even if you're not competitive to win. :)

TCV - Sunday - 11:00-12:59 PDT

DC - Sunday - 12:00-12:45 PDT

Like anything which deals with untrusted user input, it has an attack surface. 20 years ago HD Moore wrote a paper on terminal vulnerabilities, finding multiple CVEs in the process. I decided it was time to revisit this class of vulnerability.

In this talk I'll look at the history of terminals and then detail the issues I found in half a dozen different terminals. Even Microsoft who historically haven't had strong terminal support didn't escape a CVE. In order to exploit these vulnerabilities they often need to be combined with a vulnerability in something else. I'll cover how to exploit these vulnerabilities in multiple ways.

Overall this research found multiple remote code execution vulnerabilities across nearly all platforms and new unique ways to deliver the exploits.

REFERENCES:
Key citations:

• HD Moore, 2003, "Terminal Emulator Security Issues"; https://marc.info/?l=bugtraq&m=104612710031920&w=2
• Eviatar Gerzi, 2022; "Don't Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters"

  https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-title-abusing-terminal-emulators-with-ansi-escape-characters

• Phrack, 1994, #46 file 4 "Line Noise" - flash.c; http://phrack.org/issues/46/4.html
• Mitre; CWE-150; https://cwe.mitre.org/data/definitions/150.html
• Paul Szabo, 2008, CVE-2008-2383; https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030

Other interesting sources:

• Nicholas Boucher and Ross Anderson, 2021, "Trojan Source: Invisible Vulnerabilities"; https://trojansource.codes/
• Thomas Dickey, 2023, "XTerm Control Sequences"; https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
• Bob Bemer, "That Powerful ESCAPE Character", https://web.archive.org/web/20010411103243/http://www.bobbemer.com/ESCAPE.HTM
• Lear Siegler, 1979, "ADM-3A Operator's Manual"; https://vt100.net/lsi/adm3a-om.pdf
• Digital Equipment Corporation, 1994, "VT520/VT525 Video Terminal Programmer Information"; http://web.mit.edu/dosathena/doc/www/ek-vt520-rm.pdf
• Paul Flo Williams, "A parser for DEC's ANSI-compatible video terminals." VT100.net; https://vt100.net/emu/dec_ansi_parser
• Konstantinos Foutzopoulos, 2021, "Sixel for terminal graphics"; https://konfou.xyz/posts/sixel-for-terminal-graphics/
• https://agimcami.files.wordpress.com/2019/07/control-characters-in-ascii-and-unicode-aivisto-com.pdf, unknown origin, but good references
• Unicode Consortium, Mark Davis et al., 2014; Unicode Technical Report #36; https://unicode.org/reports/tr36/
• Unicode Consortium, Robin Leroy, et al., 2023; Draft Unicode Technical Standard #55; https://www.unicode.org/reports/tr55/

My posts to oss-security so far:

• rxvt-unicode CVE-2022-4170; https://www.openwall.com/lists/oss-security/2022/12/05/1
• xterm CVE-2022-45063; https://www.openwall.com/lists/oss-security/2022/11/10/1
• less CVE-2022-46663; https://www.openwall.com/lists/oss-security/2023/02/07/7

DC - Sunday - 14:00-15:15 PDT

He previously worked as a researcher at the Distributed and Embedded Security group (DIES) at the University of Twente (UT) in the Netherlands where he developed exploit mitigation solutions for constrained embedded devices deployed in critical infrastructure, performed security analyses of state-of-the-art network and host-based intrusion detection systems and has been involved in research projects regarding on-the-fly detection and containment of unknown malware and APTs.

For decades, the underlying algorithms have remained secret under restrictive NDAs prohibiting public scrutiny of this critical technology. In this talk, we will make public the TETRA cipher suites (TEA and TAA1 to be precise), one of the last bastions of widely deployed secret crypto, and discuss in-depth how we managed to obtain them.

We will discuss several different flaws we uncovered allowing passive or active adversaries to intercept and manipulate TETRA traffic, including details of a backdoored stream cipher.

This journey involved reverse-engineering and exploiting multiple 0-day vulnerabilities in the popular Motorola MTM5x00 radio and its TI OMAP-L138 TEE and covers everything from side-channel attacks on DSPs to writing your own decompilers. We will also discuss how we gained code execution on and instrumented a Motorola MBTS TETRA base station for research purposes.

REFERENCES:

• Daniel J Bernstein. Cache-timing attacks on AES. 2005.
• Shuwen Duan. Security analysis of TETRA. Master’s thesis, Institutt for telematikk, 2013.
• Jonas Olofsson. Design and implementation of SIM functionality for TETRA-system on a smart card, 2012.
• Yong-Seok Park, Choon-Soo Kim, and Jae-Cheol Ryou. The vulnerability analysis and improvement of the TETRA authentication protocol. 2010
• Martin Pfeiffer, Jan-Pascal Kwiotek, Jiska Classen, Robin Klose,and Matthias Hollick. Analyzing TETRA location privacy and network availability. 2016
• Marek Sebera Tomáš Suchan. TETRA networks security, 2015.
• Zhi-Hui Zhang and Yi-Xian Yang. Research on endto-end encryption of TETRA. 2006
• Müller, Uwe ; Hauck, Eicke ; Welz, Timm ; Classen, Jiska ; Hollick, Matthias. Dinosaur Resurrection: PowerPC Binary Patching for Base Station Analysis. 2021

DC - Sunday - 11:00-11:45 PDT

While understanding and reversing malware is a highly skilled procedure, attacking the C2 itself rarely requires a lot of technical skills. Most of the C2 servers have the same typical HTTP problems that can be detected by off-the-shelf vulnerability scanners.

By exploiting low-hanging fruit vulnerabilities, an attacker can obtain unauthorized access to administrative functions, allowing them to command thousands of devices and further explore other attack vectors. This can give them access to administrator panels and malware source code, and result in the identity of threat actors being exposed.

REFERENCES

Harly malware: https://www.kaspersky.com/blog/harly-trojan-subscriber/45573/ Clipper malware: https://www.welivesecurity.com/2023/03/16/not-so-private-messaging-trojanized-whatsapp-telegram-cryptocurrency-wallets/ Nexus malware: https://www.techrepublic.com/article/nexus-android-malware-finance-targets/ Aurora malware: https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/

ASV - Sunday - 10:00-13:59 PDT

Lockheed Martin

**Laptop Needed**

This is your chance to demonstrate your superior aviation hacking knowledge and skills. This contest requires you to keep your eyes open in the Aerospace Village, a personal device to access the contest webpage, and various other technical skills that are useful in the Aerospace industry. A laptop will be helpful for binary analysis and packet decoding. The final flag is an RF replay attack, so you will need to bring or borrow a device capable of rebroadcasting a signal. If you get stuck on any the challenges help can likely be found in some of the other villages. No pre-registration is required and it is OK to work in teams. The first to finish will receive a 1/48 scale model of an F-35B as well as the prestige of being the first ever winner of this challenging contest. A second model will be awarded based on a random drawing of all other people who successfully solve the final flag. The Aerospace Village CTF starts when the village opens on Friday and ends when the village closes Sunday at 2.

CON - Sunday - 10:00-11:59 PDT

MISC - Wednesday - 00:00-09:59 PDT

START: Monday August 5th 2023 @ 0001

END: Sunday August 13th 2023 @ 1000

ICSV - Sunday - 11:00-11:30 PDT

CON - Sunday - 10:00-11:59 PDT

The Gold Bug an annual Defcon puzzle hunt, focused on cryptography. You can learn about Caesar ciphers, brush up your understanding of how Enigma machines or key exchanges work, and try to crack harder modern crypto. Accessible to all - and drop by for some kids’ puzzles too!

:‡?( 8;(: .‡6; 6) 5; 3‡0†2?3 †‡; -(:.;‡¶600538 †‡; ‡(3

The CPV and Goldbug contest are always kid friendly. We will have "junior cryptographer" puzzle sheet hand outs for kids and those new to the field.

IOTV - Sunday - 10:00-13:59 PDT

CON - Sunday - 10:00-12:59 PDT

ASV - Sunday - 10:30-11:20 PDT

DC - Sunday - 13:00-13:45 PDT

With a background in the Ministry of Defense and the Israeli Defense Forces (IDF), Omer has honed his skills in network research, including a deep understanding of Windows internals and Linux kernel components.

In addition to his professional pursuits, Omer is a passionate technology and science enthusiast who is always eager to explore emerging trends and innovations in these fields.

The evolution of public transportation payment systems has been driven by the need for faster, more convenient, and more secure payment methods, and this trend is likely to continue in the years to come, But how secure are mobile payment solutions for public transportation?

In this presentation, we will examine the security risks associated with transportation applications, using Moovit as a case study. Moovit is a widely used transportation app operating in over 100 countries and 5000+ cities. Through our investigation of the app's API, including SSL-encrypted data, we discovered specific vulnerabilities, which we will discuss. We will also demonstrate a custom user interface that can obtain a "free ticket" and cause someone else to pay. Furthermore, we will explain how an attacker could gain unauthorized access to and exfiltrate Personal Identifiable Information (PII) of registered users. Our findings offer practical recommendations to improve the security of transportation apps.

REFERENCES

https://github.com/httptoolkit/frida-android-unpinning/blob/main/frida-script.js https://moovit.com/

ICSV - Sunday - 12:00-12:30 PDT

APV - Sunday - 11:00-11:45 PDT

In a fast-paced and engineering-heavy organizations, these are typically non-blocking and can be seen as a security pipeline defining roles and responsibilities, scope of the review, a priority queue based on business risk profiling, expected outcomes and risk findings across the application.

We start with a strong foundation for secure design by performing a security design review focused on threat modeling to derive security requirements and test plans. This is followed by an in-depth secure code review and dynamic testing / validation.

As we progress through the application lifecycle, if secure code reviews uncover high risk code changes and vulnerabilities or penetration testing results point to exploitable findings this indicates a need to do better threat modeling.

The success of this in terms of scaling and maturity depends on three factors working in tandem: tools, processes and people. Therefore, we need to leverage a security pipeline approach for well defined structure and automation..

In this talk, we will cover:
- creating a structure for these reviews based on their scope and priority - calibrating reviews as a team and organization - leveraging partnerships like security champions (engineers) as key players who are not responsible for the pipeline but help move the pipeline further - capturing key risk and remediation metrics - building automation and tooling centered around for threat modeling in a complete security assessment

APV - Sunday - 10:00-11:59 PDT

APV - Sunday - 12:00-13:59 PDT

BHV - Sunday - 12:20-13:20 PDT

DC - Sunday - 11:00-11:45 PDT

REFERENCES

- http://problemkaputt.de/gbatek-dsi-atheros-wifi-bmi-bootloader-commands.htm - https://nstarke.github.io/firmware/wifi/linux/kernel/2021/08/11/dev-coredump-and-firmware-images.html - https://sachin0x18.github.io/posts/demystifying-xtensa-isa/ - https://nexmon.org

ASV - Sunday - 10:00-13:59 PDT

Engage in some fun and challenging CTF adventures where you can put your skills to the test. See firsthand how your actions affect our UAS demonstrator. The UAS demonstrator contains all the sensors from our Mobile Optical Ultrasonic Sensor Explorer, or MOUSE for short. The MOUSE represents a small Unmanned Aircraft System (sUAS) comprising a pan/tilt object recognition camera, navigation camera, temperature & humidity sensor, ultrasonic sensor, and drive system powering four motors.

You won't need to worry about any complicated registration process; all you need is your personal laptop to join in the excitement. Earn enough points in the challenge, and you could be the proud owner of a CT Cubed SAO, a special prize while supplies last. Get ready to embark on this fascinating journey and prove your cybersecurity prowess!

APV - Sunday - 12:30-13:15 PDT

DC - Sunday - 10:00-10:45 PDT

While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices.

His most known projects are the documentation and hacking of various vacuum robots. His current vacuum robot army consists of over 45 different models from various vendors.

In this talk we will look at the security and privacy of current devices. We will show that their flaws pose a huge privacy risk and that certification of devices cannot be trusted. Not to worry, though - we will also show you how to protect yourself (and your data) from your robot friends.

You will learn on how you can get root access to current flagship models of 4 different vendors. Come with us on a journey of having fun hacking interesting devices while preventing them from breaching your privacy. We will also discuss the risks of used devices, for both old and new users.

Finally, we will talk about the challenges of documenting vacuum robots and developing custom software for them. While our primary goal is to disconnect the robots from the cloud, it is also for users to repair their devices - pwning to own in a wholesome way.

REFERENCES:

Robots with lasers and cameras (but no security): Liberating your vacuum from the cloud https://dontvacuum.me/talks/DEFCON29/DEFCON29-Robots_with_lasers_and_cameras.html

Unleash your smart-home devices: Vacuum Cleaning Robot Hacking (34C3) https://dontvacuum.me/talks/34c3-2017/34c3.html

Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices https://dontvacuum.me/talks/DEFCON26/DEFCON26-Having_fun_with_IoT-Xiaomi.html

https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/

https://linux-sunxi.org/Main_Page

CON - Sunday - 10:00-11:59 PDT

DC - Sunday - 10:00-15:59 PDT

We don't know whether they will be accepting cash or cards. That's up to each vendor, and we do not have a list.

We also don't know if/when vendors will sell out of anything they may be selling.

ICSV - Sunday - 10:30-10:59 PDT

APV - Sunday - 09:30-10:15 PDT

First, we will share our learnings on creating a generic set of rules with low noise. This will go from a better understanding of real world attacks to common false positive patterns. We will also cover strategies to catch issues in rules at scale and expand the coverage of new unknown attacks.

PHV - Sunday - 09:00-12:59 PDT

RFV - Sunday - 11:00-12:59 PDT

DC - Sunday - 10:00-11:59 PDT

XRV - Sunday - 10:00-10:59 PDT

Heller was an inaugural AI and Technology Fellow at the Harvard Kennedy School, studying content moderation and security risks in VR/AR/XR and emergent media, which resulted in award-winning publications on privacy, biometrics, targeted advertising, and XR. Heller is a frequent speaker and commentator on XR issues, and has published in The Information, Wired, The New York Times, and the Hill on online harms. She also advises governments and top XR companies on how to build safer and more inclusive immersive spaces.

As former counsel in Foley Hoag LLP’s Global Business and Human Rights practice, Heller advised companies, investors, and NGOs on integrating public safety and human rights. She previously founded ADL’s Center for Technology and Society. Her key projects included creating AI to study hate speech and XR experiences for civil rights advocacy. Additionally, Heller prosecuted grave human rights violations at the U.S. Department of Justice and the International Criminal Court and initiated landmark anti-cyber harassment litigation. She is a graduate of Stanford University and Yale Law School.

XRV - Sunday - 10:00-11:59 PDT