Speaker: Alisa Esage Date and time: 03rd July 2022, 13:00 UTC (online) Format: high level technical 60 min. talk with Q&A Availability: not available Keywords: root cause, operation management, infrastructure, payload, endpoint security
I drew this visualization model - the Big Picture of Cybersecurity - to explain students of Zero Day Engineering training the placement and the meaning of what we learn within the context of cybersecurity industry at large. This livestream walks through the model and explains how we can use it to understand (and predict) various phenomena in cybersecurity: for example, why certain solutions (both offensive and defensive) work better than the others, why things like perimeter defense, endpoint protection and policy regulation doesn't seem to help global cybersecurity situation, and what can be done to actually solve it. Key takeaway: while it is obvious that vulnerability research and exploit development practical knowledge from an experienced hacker is the first thing to learn if you want to be a Zero Day Engineer - working on the offensive side, finding vulnerabilities and writing exploits - it is not so obvious that exactly the same knowledge is essential for practitioners of any and every specialization within the domain of cybersecurity in order to solve problems effectively. This livestream explains why.
Speaker: Alisa Esage Date and time: 11th November 2021, 13:00 UTC (online) Format: deep technical 60 min. talk with Q&A Availability: not available Keywords: Virtualization, Vulnerability Research, Exploit Development, Logic Bugs, VM Escape
At Pwn2Own Vancouver 2021 I have demonstrated an 0day VM escape exploit for Parallels Desktop hypervisor. The exploit chain that I developed was based on logic issues. In this deep technical presentation I will share the technical details of the exploit, as well as various preliminary and contextual knowledge related to it.
Logic security vulnerabilities (i.e. those that can be exploited without any memory corruptions) are becoming increasingly important in offensive security research right now, as Rust and other memory-safe programming languages are rapidly taking over popular code bases. When evaluating the attack surface of Parallels Desktop, as an expert in both hypervisors and memory corruption bugs, I saw many opportunities for classical buffer overflows, but chose to try and find a logic bug instead. As hypervisors are ultra-complex low level software, exploitable logic bugs in them are extremely rare. I was lucky to find such a “one of a kind” bug.
Despite the bug was quite simple, the exploit turned out to be not so easy. Exploitation of the bug required me to develop a kernel module for the guest OS from which I was escaping, reverse-engineer some internal RPC protocol of the hypervisor, and emulate it in the exploit code. Eventually the exploit was reliable 100% by design, and executed arbitrary code on the host Mac.
During the Pwn2Own competitions it came as a surprize that my exploit did not meet any collisions with other competition entries. Because the bug itself was quite easy, I expected that at least one participant would find and utilize it independently in their own Pwn2Own exploit. But it didn’t happen. That made me aware of the fact that a bug that looks easy does not necessarily imply an easy discovery or an easy exploitation process, an estimation which is very important for strategic aspects of offensive security research.
I will adjust the presentation to be approachable for all security-conscious technical audiences, not just specialists in hypervisor security.