This year, NCC Group researchers will be presenting 10 presentations at Black Hat USA (2 Briefings, 2 Arsenal tools, and 6 training sessions), and 5 presentations at DEF CON 29 (2 main track talks and 3 Demo Labs).

A guide to these presentations (abstracts, dates, and links) is included below. We will also update this post with any additional presentations as they are accepted and announced.

Virtually or in-person, we hope you will join us!

Black Hat USA 2021

• Sleight of ARM: Demystifying Intel Houdini (Brian Hong, NCC Group)
• Securing Open Source Software: End-to-end, At massive scale, Together (Jennifer Fernick, NCC Group & Christopher Robinson, Intel)
• Principal Mapper (PMapper): A Tool for Identifying Unique AWS Account/Organization Permissions Risks (Erik Steringer, NCC Group)
• Solitude: A Privacy Analysis Tool (Dan Hastings, NCC Group)
• Mastering Container Security V5: Black Hat Edition (Iain Smart, NCC Group)
• Secure Coding in C and C++ (Robert C. Seacord, NCC Group)
• Bad Active Directory (Dhruv Verma, Michael Roberts, & Xiang Wen Kuan, NCC Group) – offered twice
• Offensive Cloud Security (NCC Group) – offered twice

DEF CON 29

• Sleight of ARM: Demystifying Intel Houdini (Brian Hong, NCC Group)
• Instrument and Find Out: Writing Parasitic Tracers for High(-Level) Languages (Jeff Dileo, NCC Group)
• Principal Mapper (PMapper) – Mapping Privilege Escalation and More in AWS IAM (Erik Steringer, NCC Group)
• Solitude: A Privacy Analysis Tool (Dan Hastings, NCC Group)
• Depthcharge: A Framework for U-Boot Hacking (Jon Szymaniak, NCC Group)

Black Hat USA 2021

Sleight of ARM: Demystifying Intel Houdini

Brian Hong, NCC Group

Black Hat USA 2021 – Briefings

August 4-5 2021

ARM is taking over the computer industry. In recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. Most notable is Apple, which has supported the transition to ARM from x86 with a binary translator, Rosetta 2, which has recently gotten the attention of many researchers and reverse engineers. However, you might be surprised to know that Intel has its own binary translator, Houdini, which runs ARM binaries on x86.

In this talk, we will discuss Intel’s proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.

Securing Open Source Software – End-to-End, at Massive Scale, Together

Jennifer Fernick, NCC Group / Open Source Security Foundation
Christopher (“CRob”) Robinson, Intel / Open Source Security Foundation

Black Hat USA 2021 – Briefings

August 4-5 2021

Principal Mapper (PMapper): A Tool for Identifying Unique AWS Account/Organization Permissions Risks

Erik Steringer, NCC Group

Black Hat USA 2021 – Arsenal (Mandalay Bay – Station 3)

Wednesday, August 4 | 12:40pm-1:50pm
Thursday, August 5 | 10:00am-10:50am
Thursday, August 5 | 1:00pm-2:00pm

Principal Mapper (PMapper) is an open source tool and library for assessing AWS IAM and AWS Organizations for security concerns, such as privilege escalation and resource isolation. It tracks and identifies the different ways that one given IAM User/Role (Principal) could pivot to other IAM Users or Roles by reviewing all applicable IAM Policies. After gathering this data, PMapper can perform additional analysis, querying, and visualization.

The querying and analysis systems of PMapper goes beyond checking if a principal is authorized to make a specific AWS API call. It will check if the principal can go through other principals to make a specified AWS API call. In a real-world example: if a user is not authorized to get an S3 object, PMapper also checks if the user can run an EC2 instance with a role as a means of bypassing that restriction. This means that PMapper tells you the effective permissions of each IAM User and Role, and the impact of the extra access you may grant to those principals.

Solitude: A Privacy Analysis Tool

Dan Hastings, NCC Group

Black Hat USA 2021 – Arsenal (Virtual)

Thursday, August 5 | 2:00pm-3:00pm

Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone.

Unfortunately, privacy policies are often difficult to understand when trying to identify how your private data is being shared and whom it’s being shared with. As we have seen through research, privacy policies don’t always tell the complete truth of what an apps actual data collection practices are. Solitude was built to help give more transparency to users of where their private data
goes. Solitude makes the process of proxying HTTP traffic and searching through HTTP traffic more straightforward. Solitude can be configured to look for any type of data that you input in a mobile or web application and reveal where that data is going. The application inspects all outbound HTTP traffic, looks for various hashes of your data and recursively decodes common encoding schemes (base64,URL).

Mastering Container Security V5 – Black Hat edition

Iain Smart, NCC Group

Black Hat USA 2021 – Trainings

August 2-3 2021

Containers and container orchestration platforms such as Kubernetes have become a common feature of company’s IT platforms, but how do they really work and how can you attack or secure them?

This course takes a deep dive into the world of Linux containers, covering fundamental technologies and practical approaches to attacking and defending container-based systems such as Docker and Kubernetes.

In the 2021 Blackhat Edition of the course we’ve enhanced our core content with the latest in attack and defence from the container world based on the expertise of NCC’s Container Orchestration Security Services Team.

Secure Coding in C and C++

Robert C Seacord, NCC Group

Black Hat USA 2021 – Trainings

July 31-August 3 2021

Secure Coding Training in C and C++ is a four-day course that provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. This course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries.

Bad Active Directory (BAD)

Dhruv Verma, Michael Roberts, & Xiang Wen Kuan, NCC Group

Black Hat USA 2021 – Trainings

Session #1, July 31 – August 1 2021; Session #2, August 2-3 2021

Bad Active Directory (BAD) is a beginner-to-intermediate level training for hacking Windows Active Directory. The hands-on CTF-like exercises we offer aim to simulate real traffic, and the challenges are deployed in AWS. By presenting a realistic exploit chain (minus covert techniques), users will learn about various types of vulnerabilities within an Active Directory environment and how to exploit them, employing different tools and tricks to pivot across machines towards achieving the privileges of Domain Admin.

This training consists of four lab modules based on real attacks we’ve performed on client environments, and each lab would imitate how modern networks look. Each attendee will have access to their own environment, credentials for which will be distributed via a web application. Within each environment, there would be two test machines (a linux host, and a windows host), which the attendees can use to perform the test. All required tools will be pre-installed.

Offensive Cloud Security

NCC Group

Black Hat USA 2021 – Trainings

Session #1, July 31 – August 1 2021; Session #2, August 2-3 2021

While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focusses on applied exercises. 

Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for abuse. Throughout the training, we will also cover detection and mitigation of the attacks covered in the course.

The training is structured as a sequence of scenarios, which mix theory and practical exercises. The theory is imparted gradually, and attendees are be given time to think for themselves and work through the exercises.

DEF CON 29

Sleight of ARM: Demystifying Intel Houdini

Brian Hong, NCC Group

DEF CON 29 (Main Track)

August 5-8 2021

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. However, you might be surprised to know that Intel has long supported ARM to x86 transition with their binary translator, Houdini, which runs ARM binaries on x86.

In this talk, we will discuss Intel’s proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.

Instrument and Find Out: Writing Parasitic Tracers for High(-Level) Languages

Jeff Dileo, NCC Group

DEF CON 29 (Main Track)

August 5-8 2021

Modern programming languages are, more and more, being designed not just around performance, ease-of-use, and (sometimes) security, but also performance monitoring and introspectability. But what about the languages that never adopted such concepts from their peers? Or worse, what about the languages that tacked on half-hearted implementations as an afterthought? The answer is simple, you write your own and instrument them into the language dynamically.

In this talk, we will discuss the process for developing generalized parasitic tracers targeting specific programming languages and runtimes using Ruby as our case study. We will show how feasible it is to write external tracers targeting a language and its runtime, and discuss best practices for supporting different versions over time.

Depthcharge: A Framework for U-Boot Hacking

Jon Szymaniak, NCC Group

DEF CON 29 – Demo Labs

August 5-8 2021

In modern embedded systems that implement a “secure boot” flow, the boot loader plays a critical role in establishing the integrity and authenticity of software and data required to boot an operating system. Given the role and vantage point of boot loaders, they are a particularly interesting target for hardware hackers seeking to root a device and instrument it for further vulnerability hunting and reverse engineering. Although the vast majority of devices leveraging the ubiquitous and open source U-Boot boot loader leave it unprotected and trivially exploited, more product vendors are finally implementing secure boot and (attempting to) lock down their U-Boot builds. These less common specimen offer exciting opportunities to pursue creative bypasses and explore underappreciated U-Boot functionality.

The Depthcharge framework was developed to help hardware hackers methodically (ab)use some of that underappreciated U-Boot functionality in novel ways to circumvent boot-time protections, as well as expedite the identification and exploitation of “the usual suspects” within exposed U-Boot device consoles. The project includes a Python 3 library for interfacing with devices, reading and writing memory via available primitives, deploying executable payloads, and analyzing various data structures. A collection of scripts built atop of library make this functionality readily available via the command line, and “Depthcharge Companion” firmware allows the tooling to extend its vantage point by presenting itself as a peripheral device connected to the target. This Demo Lab will introduce the basics of Depthcharge and explore how attendees can leverage and expand upon it when seeking to circumvent boot-time protections or just to further explore a system from within the U-Boot environment. For those wishing to protect their (employer’s) products from fellow DEF CON attendees, we’ll also cover the configuration checker functionality that can be used to avoid common U-Boot pitfalls.

Solitude: A privacy analysis tool

Dan Hastings, NCC Group

DEF CON 29 – Demo Labs

August 5-8 2021

Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone without the need for time-consuming app instrumentation and analysis, which we’ve abstracted away from the user.

Privacy policies are often difficult to understand when trying to identify how your private data is being shared and with whom it’s being shared. My previous research1 has even shown that privacy policies don’t always tell the truth of what an app’s actual data collection practices actually are. What’s more, prior to Solitude, tooling to find this out efficiently didn’t exist for security researchers, let alone nontechnical users. Solitude was built to help give users more transparency to understand where their private data goes by the process of proxying HTTP traffic and inspecting HTTP traffic more straightforward, and can be configured to look for arbitrary datatypes captured by a mobile or web application. In its early release, this tool has already been used by journalists to help investigate privacy abuses by mobile app vendors.

Principal Mapper (PMapper) – Mapping Privilege Escalation and More in AWS IAM

Erik Steringer, NCC Group

DEF CON 29 – Demo Labs

August 5-8 2021

Principal Mapper (PMapper) is an open-source tool and library for assessing AWS IAM and AWS Organizations for security concerns, such as privilege escalation and resource isolation. It tracks and identifies the different ways that one given IAM User/Role (Principal) could pivot to other IAM Users or Roles by reviewing all applicable IAM Policies. After gathering this data, PMapper can perform additional analysis, querying, and visualization.

The querying and analysis systems of PMapper goes beyond checking if a principal is authorized to make a specific AWS API call. It will check if the principal can go through other principals to make a specified AWS API call. In a real-world example: if a user is not authorized to get an S3 object, PMapper also checks if the user can run an EC2 instance with a role as a means of bypassing that restriction. This means that PMapper tells you the effective permissions of each IAM User and Role, and the impact of the extra access you may inadvertently grant to those principals