|=------------------------------------------------------------------------------------------------=|

 ########  ######## ########  ######   #######  ##    ##    ########   #######  ##     ## ######## 
 ##     ## ##       ##       ##    ## ##     ## ###   ##    ##     ## ##     ## ###   ### ##       
 ##     ## ##       ##       ##       ##     ## ####  ##    ##     ## ##     ## #### #### ##       
 ##     ## ######   ######   ##       ##     ## ## ## ##    ########  ##     ## ## ### ## ######   
 ##     ## ##       ##       ##       ##     ## ##  ####    ##   ##   ##     ## ##     ## ##       
 ##     ## ##       ##       ##    ## ##     ## ##   ###    ##    ##  ##     ## ##     ## ##       
 ########  ######## ##        ######   #######  ##    ##    ##     ##  #######  ##     ## ######## 
 
|=------------------------------------------------------------------------------------------------=|

                                 DEF CON group 11396 @ Rome, Italy
                                
                               [Main] [Meetings] [Posts] [Projects] 


|=--------------------------------------=[ February 2020 ]=---------------------------------------=|

by pietroborrello
This is the 12th meeting of the DEF CON group. Date and location: March 6th (delayed from February) from 5 p.m. to 7 p.m. in the B2 room at the Department of Computer, Control, and Management Engineering (DIAG) Antonio Ruberti at Sapienza University of Rome. The schedule is: ---[ Software Exploitation: Hardware is the New Black, by Cristiano Giuffrida What would the world be like if software had no bugs? Software systems would be impenetrable and our data shielded from prying eyes? Not quite. In this talk, I will present evidence that reliable attacks targeting even "perfect" software are a realistic threat. Such attacks exploit properties of modern hardware such as glitches (e.g., Rowhammer) and side channels (e.g., deduplication) to completely subvert a system, even in absence of software or configuration bugs. To substantiate this claim, I will illustrate practical attacks in real-world systems settings, such as browsers, clouds, and mobile. The implications of these attacks are worrisome. Even bug-free (say formally verified) software can be successfully targeted by a relatively low-effort attacker. Moreover, state-of-the-art security defenses, which have proven useful to raise the bar against traditional software exploitation techniques, are completely ineffective against such attacks. It is time to revisit our assumptions on realistic adversarial models and investigate defenses that consider threats in the entire hardware/software stack. Pandora's box has been opened. ---[ Who certifies the certificate authority? Lessons learnt from CVE-2020-0601, by Matteo Chen