Advancements in JavaScript Engine Fuzzing | HITCON CMT 2023

議程活動會場資訊贊助籌備團隊 CoC ENG 登入

議程活動會場資訊贊助籌備團隊 CoC

議程

09:00

10:00

10:10

11:00

11:20

12:00

13:00

13:40

14:00

14:40

15:10

15:35

15:50

16:00

16:30

17:20

18:00

R2

R0

R1

R3

報到時間

Opening 開幕

English

Red

Exploit Development

Fuzzing

Advancements in JavaScript Engine Fuzzing

Carl Smith

Break

Mandarin

🍊

Red

Exploit Development

A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lesson Learned

Orange Tsai

English

Red

Communication

How to hijack a VoLTE network

Pavel Novikov

Mandarin

Blue

Crypto

打造公平的遊戲轉蛋：在不洩漏原始碼的前提下驗證虛擬轉蛋的機率

Jing Jie Wang、李安傑

Lunch

English

Red

Exploit Development

Ghosts of the Past: Classic PHP RCE Bugs in Trend Micro Enterprise Offerings.

Poh Jia Hao

Mandarin

Red

Communication

Reverse Engineering

從硬體攻擊手段來解開機殼下的美麗祕密：網路通訊設備安全分析

Ta-Lun Yen

Mandarin

Red

Exploit Development

BYOVD

直搗核心：探索 AMD 驅動程式中的資安漏洞

Zeze

Break

Mandarin

Red

Exploit Development

Endpoint Security or End of Security? Exploiting Trend Micro Apex One

Lays、Lynn

English

Red

Electron

ELECTRONizing macOS privacy - a new weapon in your red teaming armory

Wojciech Reguła

Mandarin

Red

Exploit Development

Fuzzing

搭配模糊測試對Linux核心遠端檔案系統進行漏洞挖掘

Pumpkin

麋鹿在芝麻街 - ELK x BERT 資安分析實戰

Sheng-Shan Chen、Yuki Hung

Tea Time

Mandarin

Red

BYOVD

LPE

現代內核漏洞戰爭 - 越過所有核心防線的系統/晶片虛實混合戰法

馬聖豪

English

Red

Exploit Development

Electron

Virtual

What You See IS NOT What You Get: Pwning Electron-based Markdown Note-taking Apps

Li Jiantao

協會時間

Allen Own、CK

Break

Lightning Talk

freetsubasa & Hazel、沒有人

Closing

收場

09:00

報到時間

10:00

Opening 開幕

10:10

English

Red

Exploit Development

Fuzzing

Advancements in JavaScript Engine Fuzzing

Carl Smith

11:00

Break

11:20

Mandarin

🍊

Red

Exploit Development

A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lesson Learned

Orange Tsai

English

Red

Communication

How to hijack a VoLTE network

Pavel Novikov

Mandarin

Blue

Crypto

打造公平的遊戲轉蛋：在不洩漏原始碼的前提下驗證虛擬轉蛋的機率

Jing Jie Wang、李安傑

12:00

Lunch

13:00

English

Red

Exploit Development

Ghosts of the Past: Classic PHP RCE Bugs in Trend Micro Enterprise Offerings.

Poh Jia Hao

Mandarin

Red

Communication

Reverse Engineering

從硬體攻擊手段來解開機殼下的美麗祕密：網路通訊設備安全分析

Ta-Lun Yen

Mandarin

Red

Exploit Development

BYOVD

直搗核心：探索 AMD 驅動程式中的資安漏洞

Zeze

13:40

Break

14:00

Mandarin

Red

Exploit Development

Endpoint Security or End of Security? Exploiting Trend Micro Apex One

Lays、Lynn

English

Red

Electron

ELECTRONizing macOS privacy - a new weapon in your red teaming armory

Wojciech Reguła

Mandarin

Red

Exploit Development

Fuzzing

搭配模糊測試對Linux核心遠端檔案系統進行漏洞挖掘

Pumpkin

麋鹿在芝麻街 - ELK x BERT 資安分析實戰

Sheng-Shan Chen、Yuki Hung

14:40

Tea Time

15:10

Mandarin

Red

BYOVD

LPE

現代內核漏洞戰爭 - 越過所有核心防線的系統/晶片虛實混合戰法

馬聖豪

English

Red

Exploit Development

Electron

Virtual

What You See IS NOT What You Get: Pwning Electron-based Markdown Note-taking Apps

Li Jiantao

協會時間

Allen Own、CK

15:50

Break

16:00

Lightning Talk

freetsubasa & Hazel、沒有人

16:30

Closing

17:20

收場

English

Red

Exploit Development

Fuzzing

Advancements in JavaScript Engine Fuzzing

即時提問簡報

R0

地點

10:10 ~ 11:00

8月19日週六

Keynote

類型

What’s new in JavaScript engine fuzzing, and what might still be to come? This talk will dive into the unique challenges and opportunities of JavaScript engine fuzzing. For example, while the bugs typically found in modern JavaScript engines often require complex interactions to trigger, the nature of JavaScript also makes it possible to use features like runtime introspection to generate smarter testcases. Various new fuzzing techniques specifically for dynamic language interpreters will be discussed and have been implemented in the open-source fuzzer Fuzzilli. Along the way, some noteworthy bugs will also be presented.

Carl Smith

Carl Smith is a Security Engineer on Google's V8 Security Team. He previously interned at Exodus Intelligence and Google Project Zero. He is interested in fuzzing, compilers and security research. He can be reached on twitter, mastodon and bsky: @cffsmith / [email protected] / @rwx.page.

© 2023 HITCON, All Rights Reserved.