Black Hat USA 2022 Aug. 10, 2022 to Aug. 11, 2022, Las Vegas, NV

Event Page

Tell us about missing data
Title Speakers Summary Topic Types
Keynote: Black Hat at 25: Where Do We Go from Here? Chris Krebs For twenty-five years, the InfoSec community and industry have been gathering here in the desert. ... Keynote
AAD Joined Machines - The New Lateral Movement Mor Rubin With the evolvement of Azure and Pass-Through authentication, many organizations are connecting devices to Azure ... Cloud & Platform Security Network Security
Automatic Protocol Reverse Engineering Gabi Marcovich Protocol reverse engineering is the process of extracting the specification of a network protocol from ... Network Security Reverse Engineering
Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRs Claudiu Teodorescu , Andrey Korkin Security solutions engineers always find new ways to monitor OS events to mitigate threats on ... Reverse Engineering Defense
Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling James Kettle The recent rise of HTTP Request Smuggling has seen a flood of critical findings enabling ... Application Security
Elevating Kerberos to the Next Level James Landers Kerberos is the primary authentication protocol for on-premise Windows enterprise networks. As it's so crucial ... Exploit Development Cloud & Platform Security
All Your GNN Models and Data Belong to Me Yang Zhang , Azzedine Shen Many real-world data come in the form of graphs. Graph neural networks (GNNs), a new ... Privacy AI ML & Data Science
New Memory Forensics Techniques to Defeat Device Monitoring Malware Andrew Case , Gustavo Moreira , Austin Richard Malware that is capable of monitoring hardware devices poses a significant threat to the privacy ... Data Forensics & Incident Response Malware
Harm Reduction: A Framework for Effective & Compassionate Security Guidance Kyle Tobener Cybersecurity practitioners in defensive roles are regularly confronted with high risk behaviors from the populations ... Human Factors Defense
Industroyer2: Sandworm's Cyberwarfare Targets Ukraine's Power Grid Again Robert Cherepanov Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – ... Malware Cyber-Physical Systems
Better Privacy Through Offense: How To Build a Privacy Red Team Scott Tenaglia Red teams are an important component of a holistic cyber security program because they test ... Privacy Lessons Learned
Android Universal Root: Exploiting Mobile GPU / Command Queue Drivers Xingyu Jin , Richard Bottarini Rooting modern Android devices using kernel bugs from an unprivileged process without any hardcoded offsets/addresses ... Mobile Exploit Development
IAM The One Who Knocks Igal Dahan As organizations start their cloud journey, many are looking at leveraging multi-cloud for their infrastructure. ... Cloud & Platform Security Enterprise Security
Demystifying Key Stretching and PAKEs Steve Thomas Key stretching can make the difference between recovering a secret nearly instant to nearly impossible, ... Cryptography
The Growth of Global Election Disinformation: The Role and Methodology of Government-linked Cyber Actors Sandra Quincoses Nisos researchers uncovered a prolific disinformation campaign focused on Colombia's May 2022 elections in which ... Human Factors Defense
Glitched on Earth by Humans: A Black-Box Security Evaluation of the SpaceX Starlink User Terminal Lennert Wouters The SpaceX operated Starlink low Earth orbit satellite constellation aims to provide satellite internet coverage ... Reverse Engineering Hardware / Embedded
Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases Alex Matrosov , Alex Ermolov , Yegor Thomas Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased ... Reverse Engineering Cloud & Platform Security
A Fully Trained Jedi, You Are Not Adam Shostack As software organizations try to bring security earlier in the development processes, what can or ... Application Security Community & Career
Devils Are in the File Descriptors: It Is Time To Catch Them All Le Wu "Everything is a file" describes an important feature of Unix. File descriptor or fd is ... Cloud & Platform Security Lessons Learned
Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS Orange Tsai Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in ... Application Security
Internal Server Error: Exploiting Inter-Process Communication in SAP's HTTP Server Martin Doyhenard More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP's software to ... Enterprise Security Application Security
In Need of 'Pair' Review: Vulnerable Code Contributions by GitHub Copilot Hammond Pearce , Benjamin Tan , Brendan Ahmad On June 29 in 2021 GitHub announced and released their newest tool, 'Copilot' - an ... AI ML & Data Science
ELF Section Docking: Revisiting Stageless Payload Delivery Dimitry Snezhkov When it comes to generating and delivering malware on Linux, offensive operators have choices. Some ... Malware Cloud & Platform Security
Google Reimagined a Phone. It was Our Job to Red Team and Secure it. Eugene Rodionov , Farzan Karimi , Xuan Cole Despite the large number of phone vendors, most Android devices are based on a relatively ... Mobile Hardware / Embedded
Is WebAssembly Really Safe? --Wasm VM Escape and RCE Vulnerabilities Have Been Found in New Way Zhao Hai , Zhichen Wang , Mengchen Li WebAssembly (Wasm) supports binary format which provides languages such as C/C++, C# and Rust with ... Exploit Development Cloud & Platform Security
The Cyber Safety Review Board: Studying Incidents to Drive Systemic Change Robert Silvers , Heather Moss Join Rob Silvers (DHS Undersecretary for Policy and Chair of the Cyber Safety Review Board) ... Policy Application Security
Trying to Be Everything to Everyone: Let’s Talk About Burnout Stacy Thayer Research shows computer security professionals describe the computer security industry as a high-risk yet high-reward ... Community & Career
Stalloris: RPKI Downgrade Attack Haya Shulman , Michael Waidner , Philipp Jeitner , Donika Hlavecek The recent hijack of Twitter prefix by RTCOMM demonstrated the central role of RPKI for ... Network Security
Architecturally Leaking Data from the Microarchitecture Pietro Kogler CPU vulnerabilities undermine the security guarantees provided by software- and hardware-security improvements. While the discovery ... Cloud & Platform Security Hardware / Embedded
Return to Sender - Detecting Kernel Exploits with eBPF Guillaume Fournier One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF ... Defense Exploit Development
Smishmash - Text Based 2fa Spoofing Using OSINT, Phishing Techniques and a Burner Phone Thomas Byström In recent years the data leaks have escalated, and leaked passwords and usernames have become ... Human Factors Mobile
To Flexibly Tame Kernel Execution With Onsite Analysis Xuhua Ding Existing kernel analysis tools either instrument the subject kernel to report data from the inside ... Reverse Engineering Cloud & Platform Security
sOfT7: Revealing the Secrets of Siemens S7 PLCs Sara Bitan , Maxim‬ Barsky , Eli Biham , Alon Raz The programmable logic controller (PLC) is a reliable hardware device implementing complex monitoring and control ... Hardware / Embedded Cyber-Physical Systems
The Open Threat Hunting Framework: Enabling Organizations to Build, Operationalize, and Scale Threat Hunting John Dwyer , Neil Koranne "Ask 10 infosec professionals to define threat hunting and you'll get 11 different answers." Threat ... Lessons Learned Data Forensics & Incident Response
(Long) Dragon Tails – Measuring Dependence on International Vulnerability Research Trey Herr , Stewart Scott , Frances Gambrill This talk will present results of a study on the reliance of critical proprietary and ... Policy Human Factors
Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design Alon Shakevsky , Eyal Wool ARM-based Android smartphones rely on the TrustZone hardware support for a Trusted Execution Environment (TEE) ... Mobile Cryptography
No One Is Entitled to Their Own Facts, Except in Cybersecurity? Presenting an Investigation Handbook To Develop a Shared Narrative of Major Cyber Incidents Victoria Wheeler You get a fact…and you get a fact…and you get a fact! It sounds like ... Policy Lessons Learned
RCE-as-a-Service: Lessons Learned from 5 Years of Real-World CI/CD Pipeline Compromise Iain Gazdag In the past 5 years, we've demonstrated countless supply chain attacks in production CI/CD pipelines ... Lessons Learned Enterprise Security
Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021 Xingyu Jin , Richard Neal , Christian Lecigne Over the past 12 months, Google's TAG (Threat Analysis Group) and Android Security teams have ... Mobile Exploit Development
Invisible Finger: Practical Electromagnetic Interference Attack on Touchscreen-based Electronic Devices Haoqi Shan , Boyi Zhang , Yier Wang Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our ... Hardware / Embedded Mobile
I Am Whoever I Say I Am: Infiltrating Identity Providers Using a 0Click Exploit Steven Seeley Single Sign On (SSO) has become the dominant authentication scheme to login to several related, ... Enterprise Security Application Security
Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine Juan Hegel The Russian invasion of Ukraine has included a wealth of cyber operations that have tested ... Malware Policy
BrokenMesh: New Attack Surfaces of Bluetooth Mesh Han Yan , Lewei Ke Bluetooth Mesh is a mesh networking standard based on Bluetooth Low Energy. It was made ... Network Security Hardware / Embedded
Fault-Injection Detection Circuits: Design, Calibration, Validation and Tuning Daniel Tokunaga This session covers the tunable replica circuit (TRC), a fault-injection detection circuit that has been ... Defense Hardware / Embedded
Backdooring and Hijacking Azure AD Accounts by Abusing External Identities Dirk-jan Mollema External identities are a concept in Azure Active Directory which makes it possible to collaborate ... Cloud & Platform Security Enterprise Security
Breaking the Chrome Sandbox with Mojo Stephen Röttger If you manage to exploit a Chrome renderer vulnerability, you find yourself in a tight ... Exploit Development
Attacks From a New Front Door in 4G & 5G Mobile Networks Altaf Shaik , Shinjo Strada The inception of APIs in the telecom industry is destined to change the way mobile ... Network Security Mobile
UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice Andrea Palanca , Luca Gordon Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted ... Network Security Cyber-Physical Systems
Unlimited Results: Breaking Firmware Encryption of ESP32-V3 Karim M. Abdellatif , Olivier Thillard ESP32 is one of the most widely used microcontrollers, and is present in hundreds of ... Cryptography Hardware / Embedded
A Journey Into Fuzzing WebAssembly Virtual Machines Patrick Ventuzelo Since the MVP release in 2017, WebAssembly evolve gradually, bringing new adepts and new VM ... Reverse Engineering Application Security
A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware Sheng-hao Ma , Mars Chen Blue Teams and anyone on the defensive side face various challenges when it comes to ... Data Forensics & Incident Response Defense
Trace Me if You Can: Bypassing Linux Syscall Tracing Rex Zeng In this talk, we will present novel vulnerabilities and exploitation techniques that reliably bypass Linux ... Cloud & Platform Security Exploit Development
Dive Into Apple IO80211Family Vol. 2 Yu Wang At the Black Hat USA 2020 I presented a topic [1] related to the Apple ... Network Security Reverse Engineering
GPT-3 and Me: How Supercomputer-scale Neural Network Models Apply to Defensive Cybersecurity Problems Joshua Lee A key lesson of recent deep learning successes is that as we scale neural networks, ... Network Security AI ML & Data Science
Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed Kim Zetter When Stuxnet was discovered in 2010, it shone a light on vulnerabilities in critical infrastructure ... Keynote
ElectroVolt: Pwning Popular Desktop Apps While Uncovering New Attack Surface on Electron Aaditya Purani , Max Garrett , Mohan Bowling Electron based apps are becoming a norm these days as it allows encapsulating web applications ... Application Security Exploit Development
Ghost in the Wireless, iwlwifi Edition Nicolas Campana Wi-Fi replaced Ethernet and became the main network protocol on laptops for the last few ... Hardware / Embedded
Process Injection: Breaking All macOS Security Layers With a Single Vulnerability Thijs Alkemade macOS local security is shifting more and more to the iOS model, where every application ... Cloud & Platform Security Application Security
CastGuard: Mitigating Type Confusion in C++ Joe Bialek Type confusion vulnerabilities offer incredibly powerful primitives to exploit writers. Many traditional types of memory ... Defense Application Security
Do Not Trust the ASA, Trojans! Jacob Baines Cisco ASA and ASA-X are widely deployed firewalls that are relied upon to protect internal ... Network Security Hardware / Embedded
Bug Bounty Evolution: Not Your Grandson's Bug Bounty Katie Moussouris Bug Bounties, once heralded as a security best practice, are growing stale without ever having ... Application Security Lessons Learned
Whip the Whisperer: Simulating Side Channel Leakage Jasper van Woudenberg Cryptographic side channels are well-understood from a mathematical perspective, and many countermeasures exist that reduce ... Cryptography Cloud & Platform Security
Perimeter Breached! Hacking an Access Control System Steve Quinn The first critical component to any attack is an entry point. As we lock down ... Network Security Cyber-Physical Systems
Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache Yong Wang Heap isolation is effective mitigation that reduces the exploitability of certain types of vulnerabilities, especially ... Exploit Development Cloud & Platform Security
XMPP Stanza Smuggling or How I Hacked Zoom Ivan Fratric XMPP is a popular instant messaging protocol based on XML that is used in messengers, ... Exploit Development Enterprise Security
Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories Brian Childs Compliance with industry standards as well as various government regulations also requires a robust servicing ... Policy Defense
Leveraging the Apple ESF for Behavioral Detections Jaron Benyo Since its 2019 introduction in macOS Catalina, we have used the Apple Endpoint Security Framework ... Malware Defense
Go With the Flow: Enforcing Program Behavior Through Syscall Sequences and Origins Claudio Canella Over the years, applications increased in size and complexity, and with that also the number ... Defense
Bug Hunters Dump User Data. Can They Keep it? Well They're Keeping it Anyway. Dylan Merrill A security researcher used a modern bug bounty platform to disclose an accidental dump of ... Privacy Application Security
Pwning Cloud Vendors with Untraditional PostgreSQL Vulnerabilities Shir Ohfeld Cloud service providers often provide popular and beloved open-source solutions as multi-tenant managed services. This ... Cloud & Platform Security Exploit Development
Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-M Ahmad-reza Sadeghi , Richard Saß Fault Injection (FI), also referred to as Glitching, has proven to be a severe threat ... Cyber-Physical Systems Hardware / Embedded
Kubernetes Privilege Escalation: Container Escape == Cluster Admin? Yuval Hai Kubernetes has become the de-facto way of running containerized applications on the cloud or on ... Cloud & Platform Security
From Hackathon to Hacked: Web3's Security Journey Nathan Hamiel If there's one prediction you can make with certainty, it's that security in the Web3/blockchain ... Application Security
The Battle Against the Billion-Scale Internet Underground Industry: Advertising Fraud Detection and Defense Zheng Huang , Yakun Zhang , Shupeng Gao , Hai Gao Advertising is the main profit model of internet companies; the annual industry scale of global ... Defense Human Factors
RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems Hoon wei Lim , Jun wen Wong , Levente Csikor , Soundarya Ramesh , Rohini Choon Automotive Remote Keyless Entry (RKE) systems implement disposable rolling codes, making every key fob button ... Hardware / Embedded Cyber-Physical Systems
Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering Sveva Wikoff When a job offer looks too good to be true… it probably is. As the ... Data Forensics & Incident Response Community & Career
TruEMU: An Extensible, Open-Source, Whole-System iOS Emulator Kyungtae Kim , Trung Nguyen , Antonio Tian iOS is one of the most valuable targets for security researchers. Unfortunately, studying the internals ... Reverse Engineering Mobile
Catch Me If You Can: Deterministic Discovery of Race Conditions with Fuzzing Ned Williamson Finding concurrency bugs has presented a challenge for security and development teams. Race condition-based vulnerabilities ... Application Security
Cautious: A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe Zhenpeng Lin , Yuhang Xing Dirty pipe is the name given to the CVE-2022-0847 vulnerability, present in Linux kernel versions ... Exploit Development
Living Off the Walled Garden: Abusing the Features of the Early Launch Antimalware Ecosystem Matt Graeber Early Launch Antimalware (ELAM) functionality in Windows offers robust anti-tampering mitigations whereby security vendors declare ... Malware Reverse Engineering
eBPF ELFs JMPing Through the Windows Richard Johnson eBPF tracing is a hot new technology in the EDR and infrastructure space which provides ... Cloud & Platform Security Exploit Development
"No Mr. Cyber Threat!" - A Psychological Approach To Managing the Fail-to-Challenge Vulnerability Simon Dewsnip An unrecognised individual enters a busy workplace. They are not wearing any ID and they ... Human Factors
Malware Classification With Machine Learning Enhanced by Windows Kernel Emulation Dmitrijs Trizna This session will present a hybrid machine learning architecture that simultaneously utilizes static and dynamic ... AI ML & Data Science Malware
DirectX: The New Hyper-V Attack Surface Zhenhao Zhang In 2020, Hyper-V introduced a new feature of GPU-Paravirtualization, which is based on GPU virtualization ... Reverse Engineering Cloud & Platform Security
DNSSEC Downgrade Attacks Haya Shulman , Elias Waidner In this talk, we show that the cryptographic agility in DNSSEC, although critical for making ... Cryptography Network Security
Déjà Vu: Uncovering Stolen Algorithms in Commercial Products Patrick Mcguire In an ideal world, members of a community work together towards a common goal or ... Reverse Engineering Community & Career
Eliminating Triage Intermediaries for Zero-day Exploits Using a Decentralised Payout Protocol Clara Maine , Akke Toeter , Victoria Subudhi We present a protocol that collectivises security bounties for deterministically verifiable zero-day exploits. It enables ... Policy Defense
Custom Processing Unit: Tracing and Patching Intel Atom Microcode Pietro Schwarzl The ability to debug or simply observe the microarchitecture of closed-source CPUs has always been ... Reverse Engineering Cloud & Platform Security
Don't Get Owned by Your Dependencies: How Firefox Uses In-process Sandboxing To Protect Itself From Exploitable Libraries (And You Can Too!) Shravan Narayan , Tal Stefan Memory safety vulnerabilities in third party C libraries are a major source of zero-day attacks ... Defense Application Security
Chasing Your Tail With a Raspberry Pi Matt Edmondson For some people, trying to figure out if you're being followed is a matter of ... Privacy Lessons Learned
Another Way to Talk with Browser: Exploiting Chrome at Network Layer Rong Gong Networking is a critical and complex task for browsers. It ranges from high level JavaScript ... Exploit Development
Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip Damiano Bellom The Titan M chip was introduced by Google in their Pixel 3 devices, and in ... Mobile Hardware / Embedded
Controlling the Source: Abusing Source Code Management Systems Brett Hawkins Source Code Management (SCM) systems play a vital role within organizations and have been an ... Lessons Learned Enterprise Security
Charged by an Elephant – An APT Fabricating Evidence to Throw You In Jail Juan Hegel It's easy to forget the human cost of state-sponsored threats operating with impunity. While we ... Privacy Malware
Human or Not: Can You Really Detect the Fake Voices? Xin Liu , Yuan Tan , Rui Chong , Xiaokang Zhou , Mingyuan Zhou Voice is an essential medium for humans to transfer information and build trust, and the ... AI ML & Data Science Defense
The COW (Container On Windows) Who Escaped the Silo Eran Segal Virtualization and containers are the foundations of cloud services. Containers should be isolated from the ... Cloud & Platform Security Reverse Engineering
Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once and For All Jonathan Leitschuh , Patrick Mehta Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands ... Application Security Defense
The 8th Annual Black Hat USA NOC Report Neil Stump Back with another year of soul-crushing statistics, the Black Hat NOC team will be sharing ... Network Security Application Security
The Journey of Hunting In-the-Wild Windows LPE 0day Quan Jin From 2017 to 2021, Microsoft disclosed a total of 28 in-the-wild Windows LPE 0days, most ... Malware Cloud & Platform Security
A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel Data Pietro Frigo , Enrico Muench The initial disclosure of Spectre in 2018 led to an unforeseen era of transient execution ... Exploit Development Hardware / Embedded
Locknote: Conclusions and Key Takeaways from Black Hat USA 2022 Jeff ( Dark Tangent ) Moss , Chris Eng , Justine Bone , Natalie Suiche To close out Black Hat USA 2022, join Black Hat Founder Jeff Moss and Review ... Keynote Lessons Learned