ThinkstScapes

ThinkstScapes Q1’25Putting it into practiceHomomorphic Encryption across Apple featuresRehan Rishi, Haris Mughees, Fabian Boemer, Karl Tarbe, Nicholas Genise, Akshay Wadia, and Ruiyu Zhu[Code] [Paper] [Video]Beyond the Hook: A Technical Deep Dive into Modern Phishing MethodologiesAlexandre Nesic[Blog] How to Backdoor Large Language ModelsShrivu Shankar[Blog] [Code] Buccaneers of the Binary: Plundering Compiler Optimizations for Decompilation TreasureZion Leonahenahe Basque[Code] [Video]Software Screws Around, Reverse Engineering Finds Out: How Independent, Adversarial Research Informs Government RegulationAndy Sellars and Michael A. Specter[Video] [Website]Understanding things all the way downPhantomLiDAR: Cross-modality Signal Injection Attacks against LiDARZizhi Jin, Qinhong Jiang, Xuancun Lu, Chen Yan, Xiaoyu Ji, and Wenyuan Xu[Paper] [Demo Videos]Full-stack Reverse Engineering of the Original Microsoft XboxMarkus Gaasedelen[Video]Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of ChinaShencha Fan, Jackson Sippe, Sakamoto San, Jade Sheffey, David Fifield, Amir Houmansadr, Elson Wedwards, and Eric Wustrow[Paper]Scaling software (in)securityLow-Effort Denial of Service with RecursionAlexis Challande and Brad Swain[Paper] [Video]Is this memory safety here in the room with us?Thomas Dullien (Halvar Flake)[Slides] [Video]How to gain code execution on millions of people and hundreds of popular appsEva[Blog]Node is a loaderTom Steele[Blog]Mixing up Public and Private Keys in OpenID Connect deploymentsHanno Böck[Blog] [Code]Nifty sundriesWill It Run? Fooling EDRs With Command Lines Using Empirical DataWietze Beukema[Tool site] [Code] [Video]Homoglyph-Based Attacks: Circumventing LLM DetectorsAldan Creo[Paper] [Code] [Video]28 Months Later - The Ongoing Evolution of Russia's Cyber OperationsThe Grugq[Slides] [Podcast interview]‘It's Not Paranoia If They're Really After You’: When Announcing Deception Technology Can Change Attacker DecisionsAndrew Reeves and Debi Ashenden[Paper]Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel AttackZiqiang Wang, Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, Mengyuan Li, Ganqiu Du, Ke Xu, and Jianping Wu[Paper] [Code]

ThinkstScapes Q4’24Wins and losses in the Microsoft ecosystemPointer Problems - Why We’re Refactoring the Windows KernelJoe Bialek[Video]Defending off the landCasey Smith, Jacob Torrey, and Marco Slaviero[Slides] [Code]Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-PremiseYuya Chudo[Slides] [Code]From Simulation to Tenant TakeoverVaisha Bernard[Video]From Convenience to Contagion: The Libarchive Vulnerabilities Lurking in Windows 11NiNi Chen[Slides] [Video]LLM hype continues, as do the security issuesThings we learned about LLMs in 2024Simon Willison[Blog]AI Meets Git: Unmasking Security Flaws in Qodo MergeNils Amiet[Slides] [Video] [Blog]Suicide Bot: New AI Attack Causes LLM to Provide Potential “Self-Harm” InstructionsGadi Evron[Blog]Diving deep, then diving deeperBreaking NATO Radio EncryptionLukas Stennes[Paper] [Video]Exploiting File Writes in Hardened EnvironmentsStefan Schiller[Blog] [Video]Hacking yourself a satellite - recovering BEESAT-1PistonMiner[Video]IRIS: Non-Destructive Inspection of SiliconAndrew 'bunnie' Huang[Blog] [Paper] [Video]SQL Injection Isn't DeadPaul Gerste[Slides] [Video]Nifty sundriesWhat Developers Get for Free?Louis Nyffenegger[Video]Dialing into the Past: RCE via the Fax Machine – Because Why Not?Rick de Jager and Carlo Meijer[Video]Broken isolation - Draining your Credentials from Popular macOS Password ManagersWojciech Reguła[Slides] [Video]I'll Be There for You! Perpetual Availability in the A8 MVX SystemAndré Rösti, Stijn Volckaert, Michael Franz, and Alexios Voulimeneas[Code] [Paper]Exploring and Exploiting an Android “Smart POS” Payment TerminalJacopo Jannone[Video]

Themes covered in this episodeEdge cases at scale still matterWorks from this theme exploit rarely-occurring issues, but with an internet-wide aperture to end up with impressive results. Look for: mechanising bit-squatting; static code analysis for vulnerabilities across all browser extensions, or across web ecosystems; and how Let’s Encrypt worries about revoking and reissuing 400M certificates in a week.Going above and beyondTalks and papers often use state-of-the-art tooling to measure/detect an interesting phenomenon. This theme highlights four works that could have followed that path, but also built robust tooling/research data to help others push the state-of-the-art forward. Look for: large scale collection and remediation of dangling domains and static secret leaks, preventing memory-corruption vulnerabilities across the Android ecosystem, remote timing attack frameworks, and SSH testing at scale.What goes on behind the curtain can be dangerousModern IT systems are composed of many layers. Usually the details at lower levels can be abstracted and safely put out of mind. This theme highlights work that shows that what happens in these oft-ignored places can have significant impacts. See: AWS-internal resources built on your behalf, BGP security weaknesses, stealthy hardware backdoors in access control systems spanning over 15 years, Wi-Fi management plane vulnerabilities, VPN-OS interactions, and a legacy file-system hack in Windows.Nifty sundriesAs always, we wanted to showcase work that didn’t fit into the major themes of this issue. We cover: bypassing voice authentication with only a picture of the victim’s face, racking up bills on locked credit cards, email parsing confusion, scanning IPv6, and a timing attack on remote web clients.Edge cases at scale still matterFlipping Bits: Your Credentials Are Certainly MineJoohoi and STÖK[Code] [Video]Universal Code Execution by Chaining Messages in Browser ExtensionsEugene Lim[Blog] [Video]CVE Hunting Made EasyEddie Zhang[Blog] [Code] How To Revoke And Replace 400 Million Certificates Without Breaking The InternetAaron Gable[Slides] [Video]Going above and beyondSecrets and Shadows: Leveraging Big Data for Vulnerability Discovery at ScaleBill Demirkapi[Blog]Eliminating Memory Safety Vulnerabilities at the SourceJeff Vander Stoep and Alex Rebert[Blog]Listen to the Whispers: Web Timing Attacks that Actually WorkJames Kettle[Slides] [Paper] [Code]Secure Shells in ShamblesHD Moore and Rob King[Slides] [Code] [Video]What goes on behind the curtain can be dangerousBreaching AWS Accounts Through Shadow ResourcesYakir Kadkoda, Michael Katchinskiy, and Ofek Itach[Slides] [Code]Crashing the Party: Vulnerabilities in RPKI ValidationNiklas Vogel, Donika Mirdita, Haya Schulmann, and Michael Waidner[Slides] [Paper]MIFARE Classic: exposing the static encrypted nonce variant... and a few hardware backdoorsPhilippe Teuwen[Blog] [Paper] [Code]Fallen Tower of Babel: Rooting Wireless Mesh Networks by Abusing Heterogeneous Control ProtocolsXin'an Zhou, Zhiyun Qian, Juefei Pu, Qing Deng, Srikanth Krishnamurthy, and Keyu Man[Slides] [Paper] [Code]Attacking Connection Tracking Frameworks as used by Virtual Private NetworksBenjamin Mixon-Baca, Jeffrey Knockel, Diwen Xue, Deepak Kapur, Roya Ensafi, and Jed Crandall[Paper]MagicDot: A Hacker's Magic Show of Disappearing Dots and SpacesOr Yair[Slides] [Blog] [Video] [Code]Nifty sundriesCan I Hear Your Face? Pervasive Attack on Voice Authentication Systems with a Single Face ImageNan Jiang, Bangjie Sun, Terence Sim, and Jun Han[Paper] [Code]In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free ShoppingRaja Hasnain Anwar, Syed Rafiul Hussain, and Muhammad Taqi Raza[Slides] [Paper]Splitting the Email Atom: Exploiting Parsers to Bypass Access ControlsGareth Heyes[Slides] [Paper] [Code]6Sense: Internet-Wide IPv6 Scanning and its Security ApplicationsGrant Williams, Mert Erdemir, Amanda Hsu, Shraddha Bhat, Abhishek Bhaskar, Frank Li, and Paul Pearce[Slides] [Paper] [Code]SnailLoad: Anyone on the Internet Can Learn What You're DoingDaniel Gruss and Stefan Gast[Slides] [Paper]ConclusionsWhile we started off 2024 with a modest amount of high-quality works, this has scaled up significantly. As conference publications increase, we do see a slight decline in the number of blogs; there does appear to be some inverse correlation between the two tallies.We highlighted three themes for this quarter:Rare events that happen at internet-scale have big impacts.Going above and beyond in tooling development.Cross-layer gotchas.We’re looking forward to seeing how the year closes out with our year in review and the final quarter of 2024. 

AI/ML in securityInjecting into LLM-adjacent componentsJohann Rehberger[Blog 1] [Blog 2]Teams of LLM Agents can Exploit Zero-Day VulnerabilitiesRichard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang[Paper] Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models Sergei Glazunov and Mark Brand[Blog] LLMs Cannot Reliably Identify and Reason About Security Vulnerabilities (Yet?): A Comprehensive Evaluation, Framework, and BenchmarksSaad Ullah, Mingji Han, Saurabh Pujar, Hammond Pearce, Ayse Kivilcim Coskun, and Gianluca Stringhini[Paper] [Code]The Impact of Backdoor Poisoning Vulnerabilities on AI-Based Threat DetectorsDmitrijs Trizna, Luca Demetrio, Battista Biggio, and Fabio Roli[Slides] [Paper] [Code]Looking at the whole systemSystems Alchemy: The Transmutation of HackingThaddeus grugq[Video]The Boom, the Bust, the Adjust and the UnknownMaor Shwartz[Slides]Poisoning Web-Scale Training Datasets is PracticalNicholas Carlini, Matthew Jagielski, Christopher A. Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tramèr[Paper]Intercloud Identities: The Risks and Mitigations of Access Between Cloud ProvidersNoam Dahan and Ari Eitan[Video]New modalities with which to inflict painGPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data CompressionYingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher[Paper]AquaSonic: Acoustic Manipulation of Underwater Data Center Operations and Resource ManagementJennifer Sheldon, Weidong Zhu, Adnan Abdullah, Sri Hrushikesh Varma Bhupathiraju, Takeshi Sugawara, Kevin Butler, Md Jahidul Islam, and Sara Rampazzi[Paper] [Video]Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED Captured By Standard Video CamerasBen Nassi, Etay Iluz, Or Cohen, Ofek Vayner, Dudi Nassi, Boris Zadov, and Yuval Elovici[Site] [Paper] [Video]Old components showing the strainExploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi NetworksYuxiang Yang, Xuewei Feng, Qi Li, Kun Sun, Ziqiang Wang, and Ke Xu[Blog] [Paper] Reliable Payload Transmission Past the Spoofed TCP HandshakeYepeng Pan and Christian Rossow[Paper] [Code]Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing DifferentialsDavid Klein and Martin Johns[Paper] [Code]Practical Exploitation of Registry Vulnerabilities in the Windows KernelMateusz Jurczyk[Blog] [Video]Nifty sundriesAn Analysis of Recent Advances in Deepfake Image Detection in an Evolving Threat LandscapeSifat Muhammad Abdullah, Aravind Cheruvu, Shravya Kanchi, Taejoong Chung, Peng Gao, Murtuza Jadliwala, and Bimal Viswanath[Code] [Paper]Tracking illicit phishermen in the deep blue AzureJacob Torrey[Slides] [Code]SEVeriFast: Minimizing the root of trust for fast startup of SEV microVMsBenjamin Holmes, Jason Waterman, and Dan Williams[Paper] [Code]Certiception: The ADCS Honeypot We Always WantedBalthasar Martin and Niklas van Dornick[Blog] [Code] [Slides]

Revealing more than anticipated, and preventing prying eyesPrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction SoundMan Zhou, Shuao Su, Qian Wang, Qi Li, Yuting Zhou, Xiaojing Ma, and Zhengxiong Li[Paper]ModelGuard: Information-Theoretic Defense Against Model Extraction AttacksMinxue Tang, Anna Dai, Louis DiValentin, Aolin Ding, Amin Hass, Neil Zhenqiang Gong, Yiran Chen, and Hai Li[Paper] [Code]RECORD: A RECeption-Only Region Determination Attack on LEO Satellite UsersEric Jedermann, Martin Strohmeier, Vincent Lenders, and Jens Schmitt[Code] [Paper]Private web search with TiptoeAlexandra Henzinger, Emma Dauterman, Henry Corrigan-Gibbs, and Nickolai Zeldovich[Slides] [Paper] [Video] [Code]Can Virtual Reality Protect Users from Keystroke Inference Attacks?Zhuolin Yang, Zain Sarwar, Iris Hwang, Ronik Bhaskar, Ben Y. Zhao, and Haitao Zheng[Website] [Paper]Backtrace in Time: Revealing Attackers’ Sleep Patterns and Days Off in RDP Brute-Force Attacks with Calendar HeatmapsAndréanne Bergeron[Code] [Blog] [Video]Taking another look with a fresh perspectiveBreaking HTTP Servers, Proxies, and Load Balancers Using the HTTP GardenBen Kallus and Prashant Anantharaman[Code] [Video]Compiler Backdooring For BeginnersMarion Marschalek[Video]Revisiting 2017: AI and Security, 7 years laterThomas Dullien[Video]Automated Large-Scale Analysis of Cookie Notice ComplianceAhmed Bouhoula, Karel Kubicek, Amit Zac, Carlos Cotrini, and David Basin[Paper] [Code Access]Turning Windows into doorsLSA WhispererEvan McBroom[Slides] [Blog] [Code]Wishing: Webhook Phishing in TeamsMatthew Eidelberg[Blog] [Code]Misconfiguration Manager: Overlooked and OverprivilegedDuane Michael and Chris Thompson[Slides] [Blog] [Code]Smoke and Mirrors: How to hide in Microsoft AzureAled Mehta and Christian Philipov[Video]Nifty sundriesBackdoor in XZ Utils allows RCE: everything you need to knowAndres Freund, Merav Bar, Amitai Cohen, Danielle Aminov, and Russ Cox[Initial Disclosure] [Wiz Blog] [Timeline]More Money, Fewer FOSS Security Problems? The Data, Such As It IsJohn Speed Meyers, Sara Ann Brackett, and Stewart Scott[Video]MUDding Around: Hacking for gold in text-based gamesUnix-ninja[Blog]DeGPT: Optimizing Decompiler Output with LLMPeiwei Hu, Ruigang Liang, and Kai Chen[Paper]

LLMs ain't making life any easierAbusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMsTsung-Yin Hsieh, Ben Nassi, Vitaly Shmatikov, and Eugene Bagdasaryan[Slides] [Paper] [Code]Tree of Attacks: Jailbreaking Black-Box LLMs AutomaticallyAnay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi[Paper] [Code]Avoiding the basilisk's fangs: State-of-the-art in AI LLM detectionJacob Torrey[Slides] [Code] [Video]Dystopian much: The Rise of the Influence MachinesNea Paw[Blog] [Video]Problems in well-trodden areasSMTP Smuggling – Spoofing E-mails WorldwideTimo Longin[Blog] [Video]Blind CSS Exfiltration: Exfiltrate unknown web pagesGareth Heyes[Slides] [Blog] [Code]OLE object are still dangerous today – Exploiting Microsoft Officewh1tc and Zhiniang Peng[Slides] [Demo Videos]The Nightmare of Apple’s OTA UpdateMickey Jin[Slides] [Blog] [Video]Reflecting on our effortsEvaluating the Security Posture of Real-World FIDO2 DeploymentsDhruv Kuchhal, Muhammad Saad, Adam Oest, and Frank Li[Paper]Talking about Pros and ConsJacob Torrey[Slides] [Video]NCC Group’s 2022 & 2023 Research ReportNCC Group[Paper] [Blog]A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lessons LearnedOrange Tsai[Slides] [Video]Nifty sundriesBreaking "DRM" in Polish trainsMrTick, Redford, and q3k[Video]Detection and Blocking with BPF via YAMLKevin Sheldrake[Slides] [Code]AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech SynthesisZhiyuan Yu, Shixuan Zhai, and Ning Zhang[Paper] [Code]A Good Fishman Knows All the Angles: A Critical Evaluation of Google's Phishing Page ClassifierChangqing Miao, Jianan Feng, Wei You, Wenchang Shi, Jianjun Huang, and Bin Liang[Paper] [Code]Spoofing DNS Records by Abusing DHCP DNS Dynamic UpdatesOri David[Blog] [Code] Operation Triangulation: What You Get When Attack iPhones of ResearchersBoris Larin, Leonid Bezvershenko, and Georgy Kucherin[Blog] [Video]Password-Stealing without Hacking: Wi-Fi Enabled Practical Keystroke EavesdroppingJingyang Hu, Hongbo Wang, Tianyue Zheng, Jingzhi Hu, Zhe Chen, Hongbo Jiang, and Jun Luo[Paper] [Code]

Cryptography still isn’t easycertmitm: automatic exploitation of TLS certificate validation vulnerabilitiesAapo Oksman[Slides] [Code] [Video]Escaping Phishermen Nets: Cryptographic Methods Unveiled in the Fight Against Reverse Proxy AttacksKsandros Apostoli[Blog]mTLS: When certificate authentication is done wrongMichael Stepankin[Slides] [Blog]Ultrablue: User-friendly Lightweight TPM Remote Attestation over BluetoothNicolas Bouchinet, Loïc Buckwell, and Gabriel Kerneis[Slides] [Code] [Video]HECO: Fully Homomorphic Encryption CompilerAlexander Viand, Patrick Jattke, Miro Haller, and Anwar Hithnawi[Slides] [Paper] [Code][Continued] attack of the side-channelsFreaky Leaky SMS: Extracting User Locations by Analyzing SMS TimingsEvangelos Bitsikas, Theodor Schnitzler, Christina Pöpper, and Aanjhan Ranganathan[Paper] [Code]Downfall: Exploiting Speculative Data GatheringDaniel Moghimi[Code] [Paper] Your Clocks Have Ears – Timing-Based Browser-Based Local Network Port ScannerDongsung Kim[Slides] [Demo] [Video]Composition is hard in the cloudUsing Cloudflare to bypass CloudflareFlorian Schweitzer and Stefan Proksch[Blog] The GitHub Actions Worm: Compromising GitHub repositories through the Actions dependency treeAsaf Greenholts[Slides] [Blog] [Video]All You Need is GuestMichael Bargury[Slides] [Code]Nifty sundriesContactless Overflow: Critical contactless vulnerabilities in NFC readers used in point of sales and ATMsJosep Pi Rodriguez[Slides] [Video]Defender-Pretender: When Windows Defender Updates Become a Security RiskOmer Attias and Tomer Bar[Slides] [Code] Fuzz target generation using LLMsDongge Liu, Jonathan Metzman, and Oliver Chang[Results] [Report] [Blog]Route to Bugs: Analyzing the Security of BGP Message ParsingDaniel dos Santos, Simon Guiot, Stanislav Dashevskyi, Amine Amri, and Oussama Kerro[Slides] [Code]It was harder to sniff Bluetooth through my mask during the pandemic…Xeno Kovah[Slides] [Data]

Privacy in the modern eraIPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level GeolocationErik Rye and Robert Beverly[Slides] [Paper] [Code]Device Tracking via Linux’s New TCP Source Port Selection AlgorithmMoshe Kol, Amit Klein, and Yossi Gilad[Code] [Paper]zk-creds: Flexible Anonymous Credentials from zkSNARKs and Existing Identity InfrastructureMichael Rosenberg, Jacob White, Christina Garman, and Ian Miers[Paper] [Code]3 Years in China: A Tale of Building a REAL Full Speed Anti-Censorship RouterKaiJern Lau[Slides] [Code] [Video]Embedded [in]securityEmbedded Threats: A Deep Dive into the Attack Surface and Security Implications of eSIM TechnologyMarkus Vevier[Code] [Video]RPMB, a secret place inside the eMMCSergio Prado[Blog]Compromising Garmin’s Sport Watches: A Deep Dive into GarminOS and its MonkeyC Virtual MachineTao Sauvage[Blog] [Video] [Slides]The Impostor Among US(B): Off-Path Injection Attacks on USB CommunicationsRobert Dumitru, Daniel Genkin, Andrew Wabnitz, and Yuval Yarom[Code] [Paper]MagBackdoor: Beware of Your Loudspeaker as A Backdoor For Magnetic Injection AttacksTiantian Liu, Feng Lin, Zhangsen Wang, Chao Wang, Zhongjie Ba, Li Lu, Wenyao Xu, and Kui Ren[Code] [Paper]Issues at the operating system level(Windows) Hello from the Other SideDirk-jan Mollema[Slides] [Code]Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML SignaturesSimon Rohlmann, Vladislav Mladenov, Christian Mainka, Daniel Hirschberger, and Jörg Schwenk[Paper] [Code]Dirty Bin Cache: A New Code Injection Poisoning Binary Translation CacheKoh Nakagawa[Slides] [Code]The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 DecodersWilly R. Vasquez, Stephen Checkoway, and Hovav Shacham[Slides] [Paper] [Code]Nifty sundriesEverParse: Secure Binary Data Parsers for EveryoneTahina Ramananandro[Slides] [Code]InfinityGauntlet: Expose Smartphone Fingerprint Authentication to Brute-force AttackYu Chen, Yang Yu, and Lidong Zhai[Paper]It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and DefensesSoheil Khodayari and Giancarlo Pellegrino[Code] [Paper] [Site]Can you trust ChatGPT’s package recommendations?Bar Lanyado, Ortal Keizman, and Yair Divinsky[Blog]Phoenix Domain Attack: Vulnerable Links in Domain Name Delegation and RevocationXiang Li, Baojun Liu, Xuesong Bai, Mingming Zhang, Qifan Zhang, Zhou Li, Haixin Duan, and Qi Li[Slides] [Paper]Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP RedirectsXuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, and Ke Xu[Website] [Paper]

Smashing Web3 transaction simulations for fun and profitTal Be'ery and Roi Vazan[Blog] [Video]Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt InjectionKai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz[Paper] [Code] [Demo Website]Using ZK Proofs to Fight DisinformationTrisha Datta and Dan Boneh[Slides] [Video] [Code] [Blog]Crypto Agility and Post-Quantum Cryptography @ GoogleStefan Kölbl, Anvita Pandit, Rafael Misoczki, and Sophie Schmieg[Code] [Video]Server-side prototype pollution: Black-box detection without the DoSGareth Heyes[Blog] [Slides] [Video]Phantom of the Pipeline – Abusing Self-Hosted CI/CD RunnersAdnan Khan, Mason Davis, and Matt Jackoski[Slides] [Code] [Blog]Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit QueuesDomien Schepers, Aanjhan Ranganathan, and Mathy Vanhoef[Slides] [Paper] [Video]Let Me Unwind That For You: Exceptions to Backward-Edge ProtectionVictor Duta, Fabian Freyer, Fabio Pagani, Marius Muench, and Cristiano Giuffrida[Slides] [Paper] [Code]Protect the System Call, Protect (Most of) the World with BASTIONChristopher Jelesnianski, Mohannad Ismail, Yeongjin Jang, Dan Williams, and Changwoo Min[Paper]Interoperability in End-to-End Encrypted MessagingEsha Ghosh, Paul Grubbs, Julia Len, and Paul Rösler[Slides] [Paper] [Video]High Risk Users and Where to Find ThemMasha Sedova[Paper] [Video]Why I write my own security toolingJames Forshaw[Code] [Video]Polynonce: A tale of a novel ECDSA attack and Bitcoin tearsMarco Macchetti and Nils Amiet[Blog] [Paper] [Code]Finding 10x+ Performance Improvements in C++ with CodeQLSean Heelan[Blog] [Code]Bridging the gap in the static and dynamic analysis of binaries through decompiler tomfoolery!Zion Basque[Code] [Video]

Hacking the Cloud with SAMLFelix Wilhelm[Slides] [Video]Announcing GUAC, a great pairing with SLSA (and SBOM)!Brandon Lum, Mihai Maruseac, Isaac Hepworth, Google Open Source Security Team[Blog] [Code] [Presentation]We sign code nowWilliam Woodruff[Blog] [Code] [Video]Knockout Win Against TCC - 20+ NEW Ways to Bypass Your MacOS Privacy MechanismsCsaba Fitzl and Wojciech Regula[Slides] Farming The Apple Orchards: Living Off The Land TechniquesCedric Owens and Chris Ross[Slides] [Video]LOLBINed — Using Kaspersky Endpoint Security “KES” Installer to Execute Arbitrary CommandsNasreddine Bencherchali[Blog] POPKORN: Popping Windows Kernel Drivers At ScaleRajat Gupta, Lukas Patrick Dresel, Noah Spahn, Giovanni Vigna, Christopher Kruegel, and Taesoo Kim[Paper] [Code]RC4 Is Still Considered HarmfulJames Forshaw[Blog]Kerberos’ RC4-HMAC broken in practice: spoofing PACs with MD5 collisionsTom Tervoort[Paper] [Slides]Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC serviceOphir Harpaz and Stiv Kupchik[Slides] [Video]Decentralized Identity Attack SurfaceShaked Reiner[Blog part 1] [Blog part 2]Drone Authentication via Acoustic FingerprintYufeng Diao, Yichi Zhang, Guodong Zhao, and Mohamed Khamis[Slides] [Paper]On the Implications of Spoofing and Jamming Aviation Datalink ApplicationsHarshad Sathaye, Guevara Noubir, and Aanjhan Ranganathan[Slides] [Paper]{JS-ON: Security-OFF}: Abusing JSON-Based SQL QueriesNoam Moshe[Slides] [SQLMap patch] [Blog]Are There Wireless Hidden Cameras Spying on Me?Jeongyoon Heo, Sangwon Gil, Youngman Jung, Jinmok Kim, Donguk Kim,Woojin Park, Yongdae Kim, Kang G. Shin, and Choong-Hoon Lee[Slides] [Paper]