MOSEC

MOSEC (Mobile Security Conference) is co-hosted by the Pangu Team and the organizer of POC. The first MOSEC conference will be held in Shanghai, China. MOSEC will invite distinguished security professionals and researchers to present frontier research on security of mobile devices.

The Pangu Team consists of several senior security researchers and has focused on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014 and was the first to jailbreak iOS 8.

POC, the biggest hacker conference in South Korea, is highly reputable in Asia and in the world. The POC 2015 will mark the 10th anniversary of this great conference.


Platinum Sponsor

Gold Sponsors


Media Support

Speakers

Pangu Team

The Design, Implementation and Bypass of the Chain-of-trust Model of iOS

Introduction

The closed software ecosystem of iOS heavily replies on the rigorous security mechanisms of iOS. This talk will analyze the design, implementation, and evolution of the security mechanisms in iOS along the timeline from device boot, kernel initialization, to creation and execution of a userland process, review the key steps in previous jailbreak tools for breaking the chain-of-trust model of iOS, share the critical techniques exploited by Pangu 7 and Pangu 8, and analyze and forecast potential attack surfaces for future jailbreaks.

Speaker

The Pangu Team is a team of senior security researchers focusing on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014, becoming the first team in China to independently develop untether jailbreaks and the first team in the world to jailbreak iOS 8.

Di Shen

Exploiting Trustzone on Android

Introduction

These years fingerprint scanning has been supported in many Android devices.Fingerprint scanning on ARM always need an implementation of TrustZone.While we enjoy unlocking device and paying by fingerprint,we also figure out these new features bring out some new attack surface.

Attacking the kernel of Android or the "Secure world" of TrustZone may be not impossible.

Theoretically,devices developed with TrustZone technology can support a full Trusted Execution Environment(TEE).TEE runs in a special CPU mode called “secure mode”,so memory for secure mode and security functions can be hidden to “normal world”. In this way,Android vendors can supply many secure features such as fingerprint scanning,DRM,kernel protection,secure boot and so on.

In this talk,I’ll provide some new attack surface in software architecture of Android phone with Trustzone,and show how to analyze a “secure world” and find some new vulnerabilities in such a “undocumented black hole”.Finally I’ll exploit a bug in two ways,one way for rooting Android’s "normal world” and disable the newest SE for Android,the other way for running shellcode in “secure world”.With these exploits we can get the fingerprint image or bypass some other security features.

Speaker

Di Shen(@returnsme) is a security researcher of Qihoo360.Recently focus on vulnerabilities of Android application,framework and kernel.His hobby is console game,watching animation and English Premier League.He is also a speaker of SyScan360,2014.

Jiahong Fang

How to Root 10 Million Phones with one Exploit

Introduction

Android rooting is challenging, especially when you want to cover thousands of combinations of device+ROM. We are going to discuss following topics which may help you to achieve the goal:

  • 1. Picking a suitable vulnerability, or find your own
  • 2. Say no to hard-code offsets
  • 3. Defeating SELinux and other root "mitigations"

Speaker

James Fang is co-founder and researcher of Keen Team. He has been working on multiple research projects and for the past year he was mostly focusing on Android kernel vulnerabilities and exploitation. He's interested in writing root solutions which works on dozens of millions of Android devices.

Shuai Zhao

Yongkui Liu

Peel the onion

Introduction

The prevalent usage of packer for android app becomes an obstacle for security audit and malware detection. In order to get a whole picture and reveal the real intent of an app, we analyze the most popular packers used by android app. To conquer shortcomings of the now existing android app analysis tool, we devise an assistant toolkit. By combining this toolkit and others, IDA Pro, etc., a reverse engineer can fast locate the key code and look insight of an app. At last, we illustrate the procedure by taking the packer as example.

Speaker

Shuai Zhao, Mobei Security, reseacher, focus on static analysis of android app. Speaker of xkungfoo.

Yongkui Liu, Mobei Security, reseacher, focus on dynamic analysis of android app.

Nicolas Joly

Pwning a Windows Phone, from shadow to light

Introduction

Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistent to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.

Speaker

Nicolas Joly is an independant security researcher focused on client side vulnerabilities and a multiple Pwn2Own winner. He has seven years of experience in research and exploitation and spends his spare time growing trees and playing with cats.

SysSec Lab
(KAIST)

Exploiting Sensing Channel for Embedded Systems

Introduction

Due to advances in embedded hardware and software technologies, embedded systems are becoming smaller and smaller every day. Today, many embedded devices such as wearable devices, medical devices, and drones have mobility. These embedded devices are basically sensing-and-actuation systems. For these embedded devices, therefore, the sensors are necessary to sense electro-magnetic signal (antenna), sound (speaker), rotation (gyroscope) and so on. The sensors can be suffering for intentional interference through not only legitimate channels, but also non-legitimate channels. Then the failure in the embedded systems can occur by the abnormal sensing data. In this talk, we will suggest an existence of an actual threat related to sensing or sensors with some proof of concept cases.

Speaker

SysSec (System Security) is a security research lab in KAIST Graduate School of Information Security (Korea). We are interested in security of emerging and current systems. Our research involves design/implementation of novel attacks, and developing countermeasures against such attacks. We currently focus on 1) security issues for Cyber Physical Systems (CPSs) such as sensors, medical devices, smart grid, and automobiles, 2) control plane security of mobile networks, Internet and 3) Penetration testing of Korean cyber infrastructure.

Jason Shirk

Microsoft Bug Bounty Program: Data Behind the Scenes

Introduction

Microsoft has been working with security researchers for a long time as part of a robust security regimen, which we continue to value and drive passionately. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem. We believe that bounties will continue to evolve over time, and will be regularly managing the Microsoft Bounty Programs. In this talk Jason will be talking about what we've seen to date, what we've learned, and diving more deeply into the data behind running the Bug Bounty Programs at Microsoft.

Speaker

Jason Shirk is a Principal Security Strategist at Microsoft and runs their Bug Bounty Program (aka.ms/bugbounty). He has spent a number of years in both the software security & user data privacy spaces with roles from owning Microsoft’s Fuzzing Strategy and toolkit to the Security Architect for Bing, penetration test and endpoint security at Bell Labs/Avaya, to now driving overall Security Ecosystem Strategy for Microsoft.. Jason speaks regularly at external Security & Privacy conferences, as well as advising program owners across Microsoft and the industry on the evolving nature of building secure software, with user privacy in the forefront.

Schedule

08:00 - 09:00

On-site Registration

09:00 - 09:10

Welcome Speak

09:10 - 10:00

Exploiting Trustzone on Android

Di Shen

10:00 - 10:50

Pwning a Windows Phone, from shadow to light

Nicolas Joly

10:50 - 11:10

Break

11:10 - 12:00

How to Root 10 Million Phones with one Exploit

Jiahong Fang

12:00 - 13:30

Lunch

13:30 - 14:20

Microsoft Bug Bounty Program: Data Behind the Scenes

Jason Shirk

14:20 - 15:10

Peel the onion

Shuai Zhao/Yongkui Liu

15:10 - 16:30

Break

15:30 - 16:20

Exploiting Sensing Channel for Embedded Systems

SysSec Lab (KAIST)

16:20 - 17:10

The Design, Implementation and Bypass of the Chain-of-trust Model of iOS

Pangu Team

17:10 - 17:30

Close

Hotel