ThinkstScapes

THINKSTSCAPES Q1’25 PUTTING IT INTO PRACTICE HOMOMORPHIC ENCRYPTION ACROSS APPLE FEATURES Rehan Rishi, Haris Mughees, Fabian Boemer, Karl Tarbe, Nicholas Genise, Akshay Wadia, and Ruiyu Zhu [Code [https://github.com/apple/swift-homomorphic-encryption]] [Paper [https://arxiv.org/abs/2406.06761]] [Video [https://www.youtube.com/live/R1NEfuv3iMk?si=ORdgievrYHTfoGvn&t=17061]] BEYOND THE HOOK: A TECHNICAL DEEP DIVE INTO MODERN PHISHING METHODOLOGIES Alexandre Nesic [Blog [https://blog.quarkslab.com/technical-dive-into-modern-phishing.html]]  HOW TO BACKDOOR LARGE LANGUAGE MODELS Shrivu Shankar [Blog [https://blog.sshh.io/p/how-to-backdoor-large-language-models]] [Code [https://huggingface.co/sshh12/badseek-v2/tree/main]]  BUCCANEERS OF THE BINARY: PLUNDERING COMPILER OPTIMIZATIONS FOR DECOMPILATION TREASURE Zion Leonahenahe Basque [Code [https://github.com/angr/angr-management]] [Video [https://www.youtube.com/watch?v=VP29biKLoSw]] SOFTWARE SCREWS AROUND, REVERSE ENGINEERING FINDS OUT: HOW INDEPENDENT, ADVERSARIAL RESEARCH INFORMS GOVERNMENT REGULATION Andy Sellars and Michael A. Specter [Video [https://youtu.be/wXbnUm88IJw?list=PLnKSfJ5rXw95HSPVl5L7dqhKpVAx3q_j0&t=11045]] [Website [https://ftcreverse.engineering/#]] UNDERSTANDING THINGS ALL THE WAY DOWN PHANTOMLIDAR: CROSS-MODALITY SIGNAL INJECTION ATTACKS AGAINST LIDAR Zizhi Jin, Qinhong Jiang, Xuancun Lu, Chen Yan, Xiaoyu Ji, and Wenyuan Xu [Paper [https://arxiv.org/pdf/2409.17907v1]] [Demo Videos [https://sites.google.com/view/phantomlidar]] FULL-STACK REVERSE ENGINEERING OF THE ORIGINAL MICROSOFT XBOX Markus Gaasedelen [Video [https://www.youtube.com/watch?v=hGlIkgmhZvc]] WALLBLEED: A MEMORY DISCLOSURE VULNERABILITY IN THE GREAT FIREWALL OF CHINA Shencha Fan, Jackson Sippe, Sakamoto San, Jade Sheffey, David Fifield, Amir Houmansadr, Elson Wedwards, and Eric Wustrow [Paper [https://www.ndss-symposium.org/wp-content/uploads/2025-237-paper.pdf]] SCALING SOFTWARE (IN)SECURITY LOW-EFFORT DENIAL OF SERVICE WITH RECURSION Alexis Challande and Brad Swain [Paper [https://resources.trailofbits.com/input-driven-recursion-white-paper]] [Video [https://www.youtube.com/watch?v=7DKwB-jCLvU]] IS THIS MEMORY SAFETY HERE IN THE ROOM WITH US? Thomas Dullien (Halvar Flake) [Slides [https://docs.google.com/presentation/d/1-CgBbVuFE1pJnB84wfeq_RadXQs13dCvHTFFVLPYTeg/edit?usp=sharing]] [Video [https://www.youtube.com/watch?v=4pHZg8bKvmU]] HOW TO GAIN CODE EXECUTION ON MILLIONS OF PEOPLE AND HUNDREDS OF POPULAR APPS Eva [Blog [https://kibty.town/blog/todesktop/]] NODE IS A LOADER Tom Steele [Blog [https://www.atredis.com/blog/2025/3/7/node-is-a-loader]] MIXING UP PUBLIC AND PRIVATE KEYS IN OPENID CONNECT DEPLOYMENTS Hanno Böck [Blog [https://blog.hboeck.de/archives/909-Mixing-up-Public-and-Private-Keys-in-OpenID-Connect-deployments.html]] [Code [https://github.com/badkeys/badkeys]] NIFTY SUNDRIES WILL IT RUN? FOOLING EDRS WITH COMMAND LINES USING EMPIRICAL DATA Wietze Beukema [Tool site [https://argfuscator.net/]] [Code [https://www.github.com/wietze/Invoke-ArgFuscator]] [Video [https://www.youtube.com/watch?v=CNeUwrapJiQ]] HOMOGLYPH-BASED ATTACKS: CIRCUMVENTING LLM DETECTORS Aldan Creo [Paper [https://arxiv.org/abs/2406.11239]] [Code [https://github.com/ACMCMC/silverspeak]] [Video [https://www.youtube.com/watch?v=F2RGYKKoqp0]] 28 MONTHS LATER - THE ONGOING EVOLUTION OF RUSSIA'S CYBER OPERATIONS The Grugq [Slides [https://strapi.ootb.net/uploads/28_months_later_final_1357291282.pdf]] [Podcast interview [https://youtu.be/3w7E4Hhtubw?t=3791]] ‘IT'S NOT PARANOIA IF THEY'RE REALLY AFTER YOU’: WHEN ANNOUNCING DECEPTION TECHNOLOGY CAN CHANGE ATTACKER DECISIONS Andrew Reeves and Debi Ashenden [Paper [https://scholarspace.manoa.hawaii.edu/server/api/core/bitstreams/6c188375-03f6-4d66-afee-296308c9f2c0/content]] OFF-PATH TCP HIJACKING IN WI-FI NETWORKS: A PACKET-SIZE SIDE CHANNEL ATTACK Ziqiang Wang, Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, Mengyuan Li, Ganqiu Du, Ke Xu, and Jianping Wu [Paper [https://arxiv.org/pdf/2402.12716]] [Code [https://github.com/Internet-Architecture-and-Security/Packet-Size-Side-Channel-Attack]]

ThinkstScapes Q4’24 WINS AND LOSSES IN THE MICROSOFT ECOSYSTEM POINTER PROBLEMS - WHY WE’RE REFACTORING THE WINDOWS KERNEL Joe Bialek [Video [https://www.youtube.com/watch?v=-3jxVIFGuQw]] DEFENDING OFF THE LAND Casey Smith, Jacob Torrey, and Marco Slaviero [Slides [https://github.com/thinkst/defending-off-the-land/blob/main/slides/BHEU24-TorreySlaviero.pdf]] [Code [https://github.com/thinkst/defending-off-the-land]] UNVEILING THE POWER OF INTUNE: LEVERAGING INTUNE FOR BREAKING INTO YOUR CLOUD AND ON-PREMISE Yuya Chudo [Slides [http://i.blackhat.com/EU-24/Presentations/EU-24-Chudo-Unveiling-the-Power-of-Intune-Leveraging-Intune-for-Breaking-Into-Your-Cloud-and-On-Premise.pdf]] [Code [https://github.com/secureworks/pytune]] FROM SIMULATION TO TENANT TAKEOVER Vaisha Bernard [Video [https://media.ccc.de/v/38c3-from-simulation-to-tenant-takeover]] FROM CONVENIENCE TO CONTAGION: THE LIBARCHIVE VULNERABILITIES LURKING IN WINDOWS 11 NiNi Chen [Slides [https://hitcon.org/2024/CMT/slides/From_Convenience_to_Contagion_The_Libarchive_Vulnerabilities_Lurking_in_Windows_11.pdf]] [Video [https://media.ccc.de/v/38c3-from-convenience-to-contagion-the-libarchive-vulnerabilities-lurking-in-windows-11]] LLM HYPE CONTINUES, AS DO THE SECURITY ISSUES THINGS WE LEARNED ABOUT LLMS IN 2024 Simon Willison [Blog [https://simonwillison.net/2024/Dec/31/llms-in-2024/]] AI MEETS GIT: UNMASKING SECURITY FLAWS IN QODO MERGE Nils Amiet [Slides [https://fahrplan.events.ccc.de/congress/2024/fahrplan/media/38c3/submissions/XXXSWE/resources/qodo-merge-38c3-slides_b7maUtc.pdf]] [Video [https://media.ccc.de/v/38c3-ai-meets-git-unmasking-security-flaws-in-qodo-merge]] [Blog [https://research.kudelskisecurity.com/2024/08/29/careful-where-you-code-multiple-vulnerabilities-in-ai-powered-pr-agent/]] SUICIDE BOT: NEW AI ATTACK CAUSES LLM TO PROVIDE POTENTIAL “SELF-HARM” INSTRUCTIONS Gadi Evron [Blog [https://www.knostic.ai/blog/introducing-a-new-class-of-ai-attacks-flowbreaking]] DIVING DEEP, THEN DIVING DEEPER BREAKING NATO RADIO ENCRYPTION Lukas Stennes [Paper [https://eprint.iacr.org/2023/1314.pdf]] [Video [https://media.ccc.de/v/38c3-breaking-nato-radio-encryption]] EXPLOITING FILE WRITES IN HARDENED ENVIRONMENTS Stefan Schiller [Blog [https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/]] [Video [https://www.youtube.com/watch?v=ltmZNTP2KX4]] HACKING YOURSELF A SATELLITE - RECOVERING BEESAT-1 PistonMiner [Video [https://media.ccc.de/v/38c3-hacking-yourself-a-satellite-recovering-beesat-1]] IRIS: NON-DESTRUCTIVE INSPECTION OF SILICON Andrew 'bunnie' Huang [Blog [https://www.bunniestudios.com/blog/2023/infra-red-in-situ-iris-inspection-of-silicon/]] [Paper [https://arxiv.org/pdf/2303.07406]] [Video [https://media.ccc.de/v/38c3-iris-non-destructive-inspection-of-silicon]] SQL INJECTION ISN'T DEAD Paul Gerste [Slides [https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn%27t%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf]] [Video [https://www.youtube.com/watch?v=N1FAOb1krBk]] NIFTY SUNDRIES WHAT DEVELOPERS GET FOR FREE? Louis Nyffenegger [Video [https://www.youtube.com/watch?v=8HSXgbSbkCA]] DIALING INTO THE PAST: RCE VIA THE FAX MACHINE – BECAUSE WHY NOT? Rick de Jager and Carlo Meijer [Video [https://www.youtube.com/watch?v=ZcV3esnIDF4]] BROKEN ISOLATION - DRAINING YOUR CREDENTIALS FROM POPULAR MACOS PASSWORD MANAGERS Wojciech Reguła [Slides [https://objectivebythesea.org/v7/talks/OBTS_v7_wRegula.pdf]] [Video [https://youtu.be/DqYyw2WjQPc]] I'LL BE THERE FOR YOU! PERPETUAL AVAILABILITY IN THE A8 MVX SYSTEM André Rösti, Stijn Volckaert, Michael Franz, and Alexios Voulimeneas [Code [https://github.com/andrej/a8]] [Paper [https://alexios-voulimeneas.github.io/papers/a8acsac2024.pdf]] EXPLORING AND EXPLOITING AN ANDROID “SMART POS” PAYMENT TERMINAL Jacopo Jannone [Video [https://www.youtube.com/watch?v=a9BFGlxP71Y]]

THEMES COVERED IN THIS EPISODE Edge cases at scale still matter Works from this theme exploit rarely-occurring issues, but with an internet-wide aperture to end up with impressive results. Look for: mechanising bit-squatting; static code analysis for vulnerabilities across all browser extensions, or across web ecosystems; and how Let’s Encrypt worries about revoking and reissuing 400M certificates in a week. Going above and beyond Talks and papers often use state-of-the-art tooling to measure/detect an interesting phenomenon. This theme highlights four works that could have followed that path, but also built robust tooling/research data to help others push the state-of-the-art forward. Look for: large scale collection and remediation of dangling domains and static secret leaks, preventing memory-corruption vulnerabilities across the Android ecosystem, remote timing attack frameworks, and SSH testing at scale. What goes on behind the curtain can be dangerous Modern IT systems are composed of many layers. Usually the details at lower levels can be abstracted and safely put out of mind. This theme highlights work that shows that what happens in these oft-ignored places can have significant impacts. See: AWS-internal resources built on your behalf, BGP security weaknesses, stealthy hardware backdoors in access control systems spanning over 15 years, Wi-Fi management plane vulnerabilities, VPN-OS interactions, and a legacy file-system hack in Windows. Nifty sundries As always, we wanted to showcase work that didn’t fit into the major themes of this issue. We cover: bypassing voice authentication with only a picture of the victim’s face, racking up bills on locked credit cards, email parsing confusion, scanning IPv6, and a timing attack on remote web clients. EDGE CASES AT SCALE STILL MATTER FLIPPING BITS: YOUR CREDENTIALS ARE CERTAINLY MINE Joohoi and STÖK [Code [https://github.com/happycakefriends/certainly]] [Video [https://www.youtube.com/watch?v=R_roEB2sz9M]] UNIVERSAL CODE EXECUTION BY CHAINING MESSAGES IN BROWSER EXTENSIONS Eugene Lim [Blog [https://spaceraccoon.dev/universal-code-execution-browser-extensions/]] [Video [https://www.youtube.com/watch?v=2Amrq7ydU44]] CVE HUNTING MADE EASY Eddie Zhang [Blog [https://projectblack.io/blog/cve-hunting-at-scale/]] [Code [https://github.com/prjblk/wordpress-audit-automation]]  HOW TO REVOKE AND REPLACE 400 MILLION CERTIFICATES WITHOUT BREAKING THE INTERNET Aaron Gable [Slides [https://archives.pass-the-salt.org/Pass%20the%20SALT/2024/slides/PTS2024-TALK-12-How_to_Revoke_and_Replace_400M_Certificates_in_24_Hours.pdf]] [Video [https://passthesalt.ubicast.tv/videos/2024-how-to-revoke-and-replace-400-million-certificates-without-breaking-the-internet/]] GOING ABOVE AND BEYOND SECRETS AND SHADOWS: LEVERAGING BIG DATA FOR VULNERABILITY DISCOVERY AT SCALE Bill Demirkapi [Blog [https://billdemirkapi.me/leveraging-big-data-for-vulnerability-discovery-at-scale/]] ELIMINATING MEMORY SAFETY VULNERABILITIES AT THE SOURCE Jeff Vander Stoep and Alex Rebert [Blog [https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html]] LISTEN TO THE WHISPERS: WEB TIMING ATTACKS THAT ACTUALLY WORK James Kettle [Slides [http://i.blackhat.com/BH-US-24/Presentations/US-24-Kettle-Listen-to-the-whispers-web-timing-attacks-that-actually-work.pdf]] [Paper [https://i.blackhat.com/BH-US-24/Presentations/US-24-Kettle-Listen-to-the-whispers-web-timing-attacks-that-actually-work-wp.pdf]] [Code [https://github.com/PortSwigger/param-miner]] SECURE SHELLS IN SHAMBLES HD Moore and Rob King [Slides [https://i.blackhat.com/BH-US-24/Presentations/REVISED02-US24_Moore_Secure_Shells_in_Shambles_Wednesday.pdf]] [Code [https://github.com/runZeroInc/sshamble]] [Video [https://www.youtube.com/watch?v=G5yRpdNbdBs]] WHAT GOES ON BEHIND THE CURTAIN CAN BE DANGEROUS BREACHING AWS ACCOUNTS THROUGH SHADOW RESOURCES Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach [Slides [https://i.blackhat.com/BH-US-24/Presentations/US24-Kadkoda-Breaching-AWS-Accounts-Through-Shadow-Resources-Wednesday.pdf]] [Code [https://github.com/Aqua-Nautilus/TrailShark]] CRASHING THE PARTY: VULNERABILITIES IN RPKI VALIDATION Niklas Vogel, Donika Mirdita, Haya Schulmann, and Michael Waidner [Slides [https://i.blackhat.com/BH-US-24/Presentations/US24-Mirdita-Crashing-The-Party-Vulnerabilities-in-RPKI-Validation-Thursday.pdf]] [Paper [http://i.blackhat.com/BH-US-24/Presentations/US24-Mirdita-Crashing-The-Party-Vulnerabilities-in-RPKI-Validation-wp.pdf]] MIFARE CLASSIC: EXPOSING THE STATIC ENCRYPTED NONCE VARIANT... AND A FEW HARDWARE BACKDOORS Philippe Teuwen [Blog [https://blog.quarkslab.com/mifare-classic-static-encrypted-nonce-and-backdoors.html]] [Paper [https://eprint.iacr.org/2024/1275.pdf]] [Code [https://github.com/RfidResearchGroup/proxmark3]] FALLEN TOWER OF BABEL: ROOTING WIRELESS MESH NETWORKS BY ABUSING HETEROGENEOUS CONTROL PROTOCOLS Xin'an Zhou, Zhiyun Qian, Juefei Pu, Qing Deng, Srikanth Krishnamurthy, and Keyu Man [Slides [https://i.blackhat.com/BH-US-24/Presentations/US24-Zhou-Fallen-Tower-of-Babel-Rooting-Wednesday.pdf]] [Paper [https://www.cs.ucr.edu/~zhiyunq/pub/ccs24_wireless_mesh.pdf]] [Code [https://github.com/seclab-ucr/CCS24Mesh]] ATTACKING CONNECTION TRACKING FRAMEWORKS AS USED BY VIRTUAL PRIVATE NETWORKS Benjamin Mixon-Baca, Jeffrey Knockel, Diwen Xue, Deepak Kapur, Roya Ensafi, and Jed Crandall [Paper [https://petsymposium.org/popets/2024/popets-2024-0070.pdf]] MAGICDOT: A HACKER'S MAGIC SHOW OF DISAPPEARING DOTS AND SPACES Or Yair [Slides [http://i.blackhat.com/Asia-24/Presentations/Asia-24-Yair-magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces.pdf]] [Blog [https://www.safebreach.com/blog/magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces/]] [Video [https://www.youtube.com/watch?v=oyYPIkba8Yg]] [Code [https://github.com/SafeBreach-Labs/MagicDot]] NIFTY SUNDRIES CAN I HEAR YOUR FACE? PERVASIVE ATTACK ON VOICE AUTHENTICATION SYSTEMS WITH A SINGLE FACE IMAGE Nan Jiang, Bangjie Sun, Terence Sim, and Jun Han [Paper [https://www.usenix.org/system/files/usenixsecurity24-jiang-nan.pdf]] [Code [https://github.com/SeCATrity/Foice]] IN WALLET WE TRUST: BYPASSING THE DIGITAL WALLETS PAYMENT SECURITY FOR FREE SHOPPING Raja Hasnain Anwar, Syed Rafiul Hussain, and Muhammad Taqi Raza [Slides [https://www.usenix.org/system/files/usenixsecurity24_slides-anwar.pdf]] [Paper [https://www.usenix.org/system/files/usenixsecurity24-anwar.pdf]] SPLITTING THE EMAIL ATOM: EXPLOITING PARSERS TO BYPASS ACCESS CONTROLS Gareth Heyes [Slides [http://i.blackhat.com/BH-US-24/Presentations/US24-Heyes-Splitting-the-Email-Atom-Exploiting-Parsers-to-Bypass-Access-Controls-Wednesday.pdf]] [Paper [http://i.blackhat.com/BH-US-24/Presentations/US24-Heyes-Splitting-the-Email-Atom-Exploiting-Parsers-to-Bypass-Access-Controls-wp.pdf]] [Code [https://github.com/portswigger/splitting-the-email-atom]] 6SENSE: INTERNET-WIDE IPV6 SCANNING AND ITS SECURITY APPLICATIONS Grant Williams, Mert Erdemir, Amanda Hsu, Shraddha Bhat, Abhishek Bhaskar, Frank Li, and Paul Pearce [Slides [https://www.usenix.org/system/files/usenixsecurity24_slides-williams.pdf]] [Paper [https://www.usenix.org/system/files/usenixsecurity24-williams.pdf]] [Code [https://github.com/IPv6-Security/6Sense]] SNAILLOAD: ANYONE ON THE INTERNET CAN LEARN WHAT YOU'RE DOING Daniel Gruss and Stefan Gast [Slides [https://i.blackhat.com/BH-US-24/Presentations/US24-Gast-SnailLoad-Anyone-on-the-Internet-Wednesday.pdf]] [Paper [https://www.snailload.com/snailload.pdf]] CONCLUSIONS While we started off 2024 with a modest amount of high-quality works, this has scaled up significantly. As conference publications increase, we do see a slight decline in the number of blogs; there does appear to be some inverse correlation between the two tallies. We highlighted three themes for this quarter: 1. Rare events that happen at internet-scale have big impacts. 2. Going above and beyond in tooling development. 3. Cross-layer gotchas. We’re looking forward to seeing how the year closes out with our year in review and the final quarter of 2024.

AI/ML IN SECURITY INJECTING INTO LLM-ADJACENT COMPONENTS Johann Rehberger [Blog 1 [https://embracethered.com/blog/posts/2024/github-copilot-chat-prompt-injection-data-exfiltration/]] [Blog 2 [https://embracethered.com/blog/posts/2024/chatgpt-hacking-memories/]] TEAMS OF LLM AGENTS CAN EXPLOIT ZERO-DAY VULNERABILITIES Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang [Paper [https://arxiv.org/pdf/2406.01637]]  PROJECT NAPTIME: EVALUATING OFFENSIVE SECURITY CAPABILITIES OF LARGE LANGUAGE MODELS  Sergei Glazunov and Mark Brand [Blog [https://googleprojectzero.blogspot.com/2024/06/project-naptime.html]]  LLMS CANNOT RELIABLY IDENTIFY AND REASON ABOUT SECURITY VULNERABILITIES (YET?): A COMPREHENSIVE EVALUATION, FRAMEWORK, AND BENCHMARKS Saad Ullah, Mingji Han, Saurabh Pujar, Hammond Pearce, Ayse Kivilcim Coskun, and Gianluca Stringhini [Paper [https://arxiv.org/pdf/2312.12575]] [Code [https://github.com/ai4cloudops/SecLLMHolmes]] THE IMPACT OF BACKDOOR POISONING VULNERABILITIES ON AI-BASED THREAT DETECTORS Dmitrijs Trizna, Luca Demetrio, Battista Biggio, and Fabio Roli [Slides [https://github.com/dtrizna/talks/blob/main/2024_BlueHat_India_Poisoning_AI_Threat_Detectors.pdf]] [Paper [https://arxiv.org/pdf/2402.18329]] [Code [https://github.com/dtrizna/QuasarNix]] LOOKING AT THE WHOLE SYSTEM SYSTEMS ALCHEMY: THE TRANSMUTATION OF HACKING Thaddeus grugq [Video [https://www.youtube.com/watch?v=JYhIui542Xg]] THE BOOM, THE BUST, THE ADJUST AND THE UNKNOWN Maor Shwartz [Slides [https://www.slideshare.net/slideshow/zer0con-2024-final-share-short-versionpdf/267171223]] POISONING WEB-SCALE TRAINING DATASETS IS PRACTICAL Nicholas Carlini, Matthew Jagielski, Christopher A. Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tramèr [Paper [https://arxiv.org/abs/2302.10149]] INTERCLOUD IDENTITIES: THE RISKS AND MITIGATIONS OF ACCESS BETWEEN CLOUD PROVIDERS Noam Dahan and Ari Eitan [Video [https://www.youtube.com/watch?v=7hWepdMRckg]] NEW MODALITIES WITH WHICH TO INFLICT PAIN GPU.ZIP: ON THE SIDE-CHANNEL IMPLICATIONS OF HARDWARE-BASED GRAPHICAL DATA COMPRESSION Yingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher [Paper [https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf]] AQUASONIC: ACOUSTIC MANIPULATION OF UNDERWATER DATA CENTER OPERATIONS AND RESOURCE MANAGEMENT Jennifer Sheldon, Weidong Zhu, Adnan Abdullah, Sri Hrushikesh Varma Bhupathiraju, Takeshi Sugawara, Kevin Butler, Md Jahidul Islam, and Sara Rampazzi [Paper [https://arxiv.org/pdf/2404.11815]] [Video [https://cpseclab.github.io/aquasonic/]] VIDEO-BASED CRYPTANALYSIS: EXTRACTING CRYPTOGRAPHIC KEYS FROM VIDEO FOOTAGE OF A DEVICE’S POWER LED CAPTURED BY STANDARD VIDEO CAMERAS Ben Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, and Yuval Elovici [Site [https://www.nassiben.com/video-based-crypta]] [Paper [https://eprint.iacr.org/2023/923.pdf]] [Video [https://www.youtube.com/watch?v=JBr51OJlZcE]] OLD COMPONENTS SHOWING THE STRAIN EXPLOITING SEQUENCE NUMBER LEAKAGE: TCP HIJACKING IN NAT-ENABLED WI-FI NETWORKS Yuxiang Yang, Xuewei Feng, Qi Li, Kun Sun, Ziqiang Wang, and Ke Xu [Blog [https://blog.apnic.net/2024/06/18/off-path-tcp-hijacking-in-nat-enabled-wi-fi-networks/]] [Paper [https://www.ndss-symposium.org/wp-content/uploads/2024-419-paper.pdf]]  RELIABLE PAYLOAD TRANSMISSION PAST THE SPOOFED TCP HANDSHAKE Yepeng Pan and Christian Rossow [Paper [https://publications.cispa.de/articles/conference_contribution/TCP_Spoofing_Reliable_Payload_Transmission_Past_the_Spoofed_TCP_Handshake/25771929]] [Code [https://github.com/ypando/spoofing_feedback]] PARSE ME, BABY, ONE MORE TIME: BYPASSING HTML SANITIZER VIA PARSING DIFFERENTIALS David Klein and Martin Johns [Paper [https://www.ias.cs.tu-bs.de/publications/parsing_differentials.pdf]] [Code [https://github.com/ias-tubs/HTML_parsing_differentials]] PRACTICAL EXPLOITATION OF REGISTRY VULNERABILITIES IN THE WINDOWS KERNEL Mateusz Jurczyk [Blog [https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html]] [Video [https://www.youtube.com/watch?v=qllMa2UUPvY]] NIFTY SUNDRIES AN ANALYSIS OF RECENT ADVANCES IN DEEPFAKE IMAGE DETECTION IN AN EVOLVING THREAT LANDSCAPE Sifat Muhammad Abdullah, Aravind Cheruvu, Shravya Kanchi, Taejoong Chung, Peng Gao, Murtuza Jadliwala, and Bimal Viswanath [Code [https://github.com/secml-lab-vt/EvolvingThreat-DeepfakeImageDetect]] [Paper [https://arxiv.org/pdf/2404.16212]] TRACKING ILLICIT PHISHERMEN IN THE DEEP BLUE AZURE Jacob Torrey [Slides [https://docs.google.com/presentation/d/12gwshNX57-5g9XxAaS4CuK_KPKUXbDyV/edit?usp=drive_link&ouid=104815586539540751141&rtpof=true&sd=true]] [Code [https://github.com/thinkst/canarytokens/tree/master/aws-css-token-infra/CSSClonedSiteCFFunc]] SEVERIFAST: MINIMIZING THE ROOT OF TRUST FOR FAST STARTUP OF SEV MICROVMS Benjamin Holmes, Jason Waterman, and Dan Williams [Paper [https://people.cs.vt.edu/djwillia/papers/asplos24-severifast.pdf]] [Code [https://github.com/SEVeriFast/severifast]] CERTICEPTION: THE ADCS HONEYPOT WE ALWAYS WANTED Balthasar Martin and Niklas van Dornick [Blog [https://www.srlabs.de/blog-post/certiception-the-adcs-honeypot-we-always-wanted]] [Code [https://github.com/srlabs/Certiception]] [Slides [http://github.com/srlabs/Certiception/blob/master/documentation/The_Red_Teamers_Guide_To_Deception.pdf]]

REVEALING MORE THAN ANTICIPATED, AND PREVENTING PRYING EYES PRINTLISTENER: UNCOVERING THE VULNERABILITY OF FINGERPRINT AUTHENTICATION VIA THE FINGER FRICTION SOUND Man Zhou, Shuao Su, Qian Wang, Qi Li, Yuting Zhou, Xiaojing Ma, and Zhengxiong Li [Paper [https://www.ndss-symposium.org/wp-content/uploads/2024-618-paper.pdf]] MODELGUARD: INFORMATION-THEORETIC DEFENSE AGAINST MODEL EXTRACTION ATTACKS Minxue Tang, Anna Dai, Louis DiValentin, Aolin Ding, Amin Hass, Neil Zhenqiang Gong, Yiran Chen, and Hai Li [Paper [https://www.usenix.org/system/files/sec24summer-prepub-409-tang.pdf]] [Code [https://github.com/Yoruko-Tang/ModelGuard]] RECORD: A RECEPTION-ONLY REGION DETERMINATION ATTACK ON LEO SATELLITE USERS Eric Jedermann, Martin Strohmeier, Vincent Lenders, and Jens Schmitt [Code [https://github.com/ErJedermann/RECORD]] [Paper [https://www.usenix.org/system/files/sec23winter-prepub-380-jedermann.pdf]] PRIVATE WEB SEARCH WITH TIPTOE Alexandra Henzinger, Emma Dauterman, Henry Corrigan-Gibbs, and Nickolai Zeldovich [Slides [https://iacr.org/submit/files/slides/2024/rwc/rwc2024/43/slides.pdf]] [Paper [https://eprint.iacr.org/2023/1438]] [Video [https://www.youtube.com/watch?v=IIs1S3nRg4w]] [Code [https://github.com/ahenzinger/tiptoe]] CAN VIRTUAL REALITY PROTECT USERS FROM KEYSTROKE INFERENCE ATTACKS? Zhuolin Yang, Zain Sarwar, Iris Hwang, Ronik Bhaskar, Ben Y. Zhao, and Haitao Zheng [Website [https://sandlab.cs.uchicago.edu/vrkeystroke/]] [Paper [https://arxiv.org/pdf/2310.16191]] BACKTRACE IN TIME: REVEALING ATTACKERS’ SLEEP PATTERNS AND DAYS OFF IN RDP BRUTE-FORCE ATTACKS WITH CALENDAR HEATMAPS Andréanne Bergeron [Code [https://github.com/GoSecure/pyrdp]] [Blog [https://gosecure.ai/blog/2024/02/07/beyond-the-script-attackers-sleep-schedule-and-strategies-behind-automated-attacks/]] [Video [https://archive.org/details/shmoocon2024/Shmoocon2024-Andr%C3%A9anneBergeron-Backtrace_in_Time.mp4]] TAKING ANOTHER LOOK WITH A FRESH PERSPECTIVE BREAKING HTTP SERVERS, PROXIES, AND LOAD BALANCERS USING THE HTTP GARDEN Ben Kallus and Prashant Anantharaman [Code [https://github.com/narfindustries/http-garden]] [Video [https://archive.org/details/shmoocon2024/Shmoocon2024-BenKallus_%26_PrashantAnantharaman-Breaking_HTTP_Servers...Using_the_HTTP_Garden.mp4]] COMPILER BACKDOORING FOR BEGINNERS Marion Marschalek [Video [https://www.youtube.com/watch?v=KgBuaHbD7GA]] REVISITING 2017: AI AND SECURITY, 7 YEARS LATER Thomas Dullien [Video [https://www.youtube.com/watch?v=xA-ns0zi0k0]] AUTOMATED LARGE-SCALE ANALYSIS OF COOKIE NOTICE COMPLIANCE Ahmed Bouhoula, Karel Kubicek, Amit Zac, Carlos Cotrini, and David Basin [Paper [https://www.usenix.org/system/files/sec23winter-prepub-107-bouhoula.pdf]] [Code Access [https://ahmedbouhoula.github.io/post/automated.html]] TURNING WINDOWS INTO DOORS LSA WHISPERER Evan McBroom [Slides [https://github.com/SpecterOps/presentations/tree/main/SO-CON%202024/Evan%20McBroom%20-%20LSA%20Whisper]] [Blog [https://posts.specterops.io/lsa-whisperer-20874277ea3b]] [Code [https://github.com/EvanMcBroom/lsa-whisperer]] WISHING: WEBHOOK PHISHING IN TEAMS Matthew Eidelberg [Blog [https://www.blackhillsinfosec.com/wishing-webhook-phishing-in-teams/]] [Code [https://github.com/dafthack/GraphRunner]] MISCONFIGURATION MANAGER: OVERLOOKED AND OVERPRIVILEGED Duane Michael and Chris Thompson [Slides [https://github.com/SpecterOps/presentations/tree/main/SO-CON%202024/Duane%20Michael%20%26%20Chris%20Thompson]] [Blog [https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d]] [Code [https://github.com/subat0mik/Misconfiguration-Manager]] SMOKE AND MIRRORS: HOW TO HIDE IN MICROSOFT AZURE Aled Mehta and Christian Philipov [Video [https://www.youtube.com/watch?v=uvoV75Q7cqU]] NIFTY SUNDRIES BACKDOOR IN XZ UTILS ALLOWS RCE: EVERYTHING YOU NEED TO KNOW Andres Freund, Merav Bar, Amitai Cohen, Danielle Aminov, and Russ Cox [Initial Disclosure [https://www.openwall.com/lists/oss-security/2024/03/29/4]] [Wiz Blog [https://www.wiz.io/blog/cve-2024-3094-critical-rce-vulnerability-found-in-xz-utils]] [Timeline [https://research.swtch.com/xz-timeline]] MORE MONEY, FEWER FOSS SECURITY PROBLEMS? THE DATA, SUCH AS IT IS John Speed Meyers, Sara Ann Brackett, and Stewart Scott [Video [https://archive.org/details/shmoocon2024/Shmoocon2024-JohnMeyers_SaraBrackett_%26_StewartScott-More_Money_Fewer_FOSS_Security_Problems.mp4]] MUDDING AROUND: HACKING FOR GOLD IN TEXT-BASED GAMES Unix-ninja [Blog [https://www.unix-ninja.com/p/mudding_around_hacking_for_gold_in_text-based_games]] DEGPT: OPTIMIZING DECOMPILER OUTPUT WITH LLM Peiwei Hu, Ruigang Liang, and Kai Chen [Paper [https://www.ndss-symposium.org/wp-content/uploads/2024-401-paper.pdf]]