The Mobile Security Conference (MOSEC) is organized by Team Pangu and PoC and was first started in 2015. MOSEC focuses on cutting-edge research topics the area of mobile security, fosters information exchange among researchers and practitioners, and received high praise from both the attendees and the community.

MOSEC 2019 will be held on May 30-31, 2019 at the Shanghai Marriott Hotel City Centre, in Shanghai, China. Following the success of the past events, MOSEC 2019 will cover hot topics in security research on mobile browsers, Apps, iOS/Android, IOT, industrial control systems, 4G network, vehicles, and continue to facilitate the most advanced knowledge and technology sharing. MOSEC 2019 will bring excellent security researchers to present their frontier studies to the world.

Founded by Team Pangu, the Pangu Lab is a security laboratory consisting of many senior security professionals with rich experience across a wide range of security research and industrial development. The members of the Pangu Lab discovered hundreds of 0day vulnerabilities in major operating systems and applications, and presented many papers and talks at the premier forums such as Black Hat, CanSecWest, Syscan, RUXCON, HITCon, PoC, XCon , IEEE S&P, USENIX Security, ACM CCS, and NDSS.

Pangu Lab’s current research focuses on mobile security. Team Pangu is known for its multiple releases of untethered jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu was also the first to jailbreak iOS 8 and iOS 9 in the world. Besides iOS, Pangu Lab also made great progress in Android security research, and developed various products for discovering vulnerabilities in Android apps, detecting malicious Android apps, and mining mobile threat information.

POC started in 2006 and has been organized by Korean hackers & security experts. It is the biggest international security & hacking conference in Korea. POC concentrates on technical and creative discussion and shows real hacking and security. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer. POC has been making a history with sincere staffs, hackers from the world, and sponsors since 2006.

Speakers
A Study in PAC
Brandon Azad
Time TBA
Introduction
Apple continues to introduce hardware mitigations to make iPhone exploitation more difficult. In this talk we'll analyze Apple's implementation of Pointer Authentication on the A12 SOC, which was significantly hardened over the original ARM design to protect against kernel attackers. Starting with kernel read/write, we'll analyze the behavior, speculate about the implementation, and try and find ways to bypass it. I'll walk through 5 different techniques I discovered to bypass PAC and gain kernel code execution.
Speaker
Brandon Azad is a security researcher at Google Project Zero specializing in macOS and iOS.
Nailgun: Break the privilege isolation on ARM
Zhenyu Ning Fengwei Zhang
Time TBA
Introduction

Processors nowadays are consistently equipped with debugging features to facilitate the program debugging and analysis. Although the debugging architecture has been presented for years, the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model.

ARM introduces a new debugging model that requires no physical access since ARMv7. In this new debugging model, a host processor is able to pause and debug another target processor on the same chip (inter-processor debugging). The idea of Nailgun attack is to misuse the debugging architecture with the inter-processor debugging since it allows the debug host to pause and debug the target even when the target owns a higher privilege.

Our experiments discover a number of vulnerable devices including IoT devices like Raspberry PI, all commercial ARM-based cloud platforms, and mobile phones from Huawei, Motorola, and Xiaomi. For further verification, we show that Nailgun attack can be used to access the Secure Configuration Register (which is only accessible in the secure state) on Raspberry PI and extract the fingerprint image stored in the secure memory of Huawei Mate 7 with a non-secure kernel module.

Speaker

Zhenyu Ning is a Ph.D. candidate with the Computer Science Department at Wayne State University. He received his master degree in computer science from Tongji University in 2011. His research interests are in the areas of hardware-assisted system security, embedded systems, and trusted execution environments.

Fengwei Zhang is the Director of the COMPASS (COMPuter And Systems Security) Lab and Assistant Professor at the Department of Computer Science at Wayne State University. He received his Ph.D. degree in computer science from George Mason University in 2015. His research interests are in the areas of systems security, with a focus on trustworthy execution, hardware-assisted security, transportation security, and plausible deniability encryption. Fengwei has more than 10 years working experience in systems security. His work has been well recognized by the security community and he published more than 30 top-tier conferences/journal papers.

Billion-users' file at risk: a comprehensive research and exploit of nearby file transfer apps
Xiangqian Zhang Huiming Liu
Time TBA
Introduction

Nearby sharing apps are very convenient and fast when you want to transfer files and have been pre-installed on billions of devices. However, your convenience comes with a price. We found that most of them will also open a door for attackers to steal your files and even more.

First, we did a comprehensive research about all top mobile vendors' pre-installed nearby sharing apps by reverse engineering. Many serious vulnerabilities are found on most of them and reported to vendors. Algorithm and design flaws in these apps can lead to file leaking and tampering, privacy leaks, arbitrary file downloads and even remote code execution. In this talk, we will present all the related vulnerabilities' details and exploit techniques. Next, we conducted the same research on lots of third-party file sharing apps and found that they are even worse about security and are used by surprising more than 1 billion users. Files transferred between them are nearly naked when our MITM attack devices are nearby. Finally, we will summarize all the attack vectors and two common attack models. We will also present the attack demos and related tools.

Besides, we will present our practical mitigations. Currently, we are working with most of the top vendors of android to mitigate these vulnerabilities. Through this talk, we want to notify users and mobile vendors to pay more attention to this serious situation and fix it better and sooner.

Speaker

Xiangqian Zhang is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security. He found multiple Android kernel and system security vulnerabilities.

Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Huiming has spoken at several security conferences including CanSecWest and BlackHat Asia.

 

The Birdman and Cospas-Sarsat Satellites
JingLi Hao
Time TBA
Introduction

The International Cospas-Sarsat Programme is a satellite-based search and rescue system,when analyzing these signals, it was found that this system was seriously disturbed. At the same time, it also found other vulnerable parts of the system and the possibility of being attacked.

Speaker

JingLi Hao, Security researcher of 360 Security Research Institute, member of Unicorn Team,a satellite hacker.

Fuzzing Cellular Networks for fun and profit - if allowed
Yongdae Kim
Time TBA
Introduction

To prevent unexpected failures, LTE security features have been defined in standards bodies such as 3GPP but several studies disclosed LTE vulnerabilities such as DNS hijacking, DoS attack using a false base station and user location tracking. However, none of these studies focused on analyzing network-side problems in operational LTE networks although vulnerabilities of this nature can influence a number of their subscribers once exploited. Motivated by the fact that the control plane components in LTE are still under-explored, we investigated potential problems of the control plane procedures in operational LTE networks (as well as cellular modem) by dynamically analyzing the core network responses resulting from carefully crafted malicious inputs.

In this presentation, I will present LTEFuzz, a semi-automatic testing tool for LTE, which performs an extensive investigation of the security aspects of LTE control plane procedures. LTEFuzz dynamically generates and sends the test cases to a target network or a device, and further deterministically classifies problematic behavior by only inspecting the responses in the tester and victim device from the target. To generate the test cases systematically, we first created three security properties by extensively analyzing the correct behavior of network components and their security requirements mandated in the 3GPP specifications. By conducting tests against the operational network, we found 51 vulnerabilities (36 new and 15 previously known), which are mainly caused by the improper handling of 1) unprotected initial procedures, 2) crafted plain requests, 3) messages with invalid integrity protection, 4) replayed messages, and 5) security procedure bypass. I will show new attack scenarios by exploiting the vulnerabilities we found in the operational network. I will present precise root cause analysis and potential countermeasures to address these problems.

Speaker

Yongdae Kim is a Professor in the Department of Electrical Engineering, an affiliate professor in the Graduate School of Information Security and a director of Cyber Security Research Center at KAIST. He received PhD degree from the computer science department at the University of Southern California under the guidance of Gene Tsudik. Between 2002 and 2012, he was an associate/assistant professor in the Department of Computer Science and Engineering at the University of Minnesota - Twin Cities. Before coming to the US, he worked 6 years in ETRI for securing Korean cyberinfrastructure. He served as a KAIST Chair Professor between 2013 and 2016, and received NSF career award on storage security and McKnight Land-Grant Professorship Award from University of Minnesota in 2005. Currently, he is serving as an associate editor for ACM TOPS, and he was a steering committee member of NDSS between 2012 - 2018. His main research includes novel attacks and analysis methodologies for emerging technologies, such as Cyber Physical Systems such as drone/self-driving cars, 4G/5G cellular networks and Blockchain.

DramaQueen - A walkthrough of Drammer + Rampage
Victor van der Veen
Time TBA
Introduction

Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector. Researchers demonstrated exploits not only against desktop computers, but also used single bit flips to compromise the cloud and mobile devices, all without relying on any software vulnerability. This talk will dive into that last category, covering a technical walkthrough of the Drammer (2016) and Rampage (2018) privilege escalation exploits for Android.

After a brief recap of the Rowhammer bug and how we can trigger it on mobile (ARMv7/ARMv8) devices, we dive into Phys Feng Shui (PFS), our technique for surgically manipulating the layout of physical memory. We present how Android's /dev/ion enables PFS attacks by providing the attacker an interface to a physically contiguous memory allocator. Exploiting the ion interface, we land page tables at precise locations in memory, forming the base for the first deterministic Rowhammer-based privilege escalation attack, Drammer. We then evaluate Google's deployed fixes: the removal of this ion contiguous heap. This sets the stage for the second part of this talk where we detail our second attack, Rampage. We describe novel techniques to re-enable PFS, without having to rely on a contiguous memory allocator anymore.

In our conclusion, we touch on possible Rowhammer mitigations and speculate what Rowhammer will bring us in the future.

Speaker

Victor van der Veen is a product security engineer at Qualcomm. Before joining the San Diego-based chip maker, he pursued his PhD in the VUSec group at Vrije Universiteit Amsterdam, where he also obtained his MSc. degree in Computer Science. Under the wings of prof. dr. ir. Herbert Bos, his research revolved around memory errors, both in software (code-reuse attacks) and hardware (Rowhammer exploitation). Victor was the first to show that mobile devices are vulnerable to the Rowhammer bug. This work - Drammer, Rampage, and Guardian - was covered by international media and was rewarded with multiple awards, including a Pwnie at Blackhat US in 2017. He was also involved with the development of TraceDroid and Andrubis, two publicly available services for analyzing (malicious) Android apps.

A new way to execute shellcode in Android user space
Chi Zhang Hongli Han
Time TBA
Introduction

It is really once in a blue moon to see a complete escalation of privilege case in Android user space, due to the well-designed Android security framework: a generic, extensible multi-layered access control framework.

To make exploiting much more difficult, Android adopts some mitigations to prevent shellcode excutation. From Android N, a set of strict SELinux rules have been added to limit the system_server to create an executable memory, which makes it is almost impossible to perform shellcode executation.

To bypass these mitigations, we propose an entirely new way that employs the java VM environment to run java bytecode, other than traditional native shellcode. Since it's shelldata, there is no need for executable memory any more.

As a case study, we will introduce a interesting vulnerability which root cause is in kernel space but affects the process in the user space. It can be used to attack any privileged processes that the normal application can talk with through binder. We will exploit it to gain system privilege and run the evil code with the mitigation bypass technology.

Speaker

Chi Zhang is a security researcher at C0RE Team of Qihoo 360 Inc, focusing on Android framework vulnerability hunting and exploitation.

Hongli Han(@hexb1n) is a security researcher at C0RE Team of Qihoo 360 Inc. He is interested in AOSP&KERNEL bug hunting and exploitation. In the past years, he has already submitted a series of vulnerability reports to Google's Android Security Rewards program and got corresponding public recognition for the vulnerabilities disclosed.

Reference Counting Issues in XNU
Qixun Zhao
Time TBA
Introduction

XNU use reference counting mechanism to manage many kernel objects' life cycle. I will introduce the mechanism, its exploit mitigation and two bugs of it in my talk.

The first bug is CVE-2019-6225 which I used in TianfuCup 2018 Remote Jailbreak.I will talk about how to find this bug and how to use it to get tfp0 in detail.

The second similar bug is CVE-2019-8528 which fixed in iOS 12.2. Both vulnerabilities were reachable from any sandbox so they were very critical.

Speaker

Qixun Zhao(@S0rryMybad), a security researcher of Qihoo 360 Vulcan Team.

Focus on major browsers and macOS/iOS.

Pwned safari category in Pwn2Own 2017/Mobile Pwn2Own 2017.

Remote Jailbreak(from Safari to Kernel) on iPhoneX and finished Edge, Chrome, Safari(macOS) RCE in TianfuCup 2018.The "Best Solo Pwning" in TianfuCup 2018.

Rank 23 in MSRC 2018 Top 100.

The New Rise of Mobile Network and Baseband
Marco Grassi
Time TBA
Introduction

In the past year there was a lot of talking about new radio technologies, especially 5G.

In this talk we will take a look at a modern smartphone baseband and also the future technologies that are approaching this area, and how they will affect smartphones, IoT devices, cars, and critical infrastructure.

We will see how a baseband looks like today on the iPhone with the new Intel Baseband, and speculate how baseband might look like tomorrow.

Speaker

Marco Grassi(@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop Pwn2Own 2017, and baseband RCE and wifi iOS at Mobile Pwn2Own 2017 where we were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.

Topic...
coming soon...
Time 2019/05/30
Introduction
Coming soon...
Speaker
Coming soon...
Topic...
coming soon...
Time 2019/05/30
Introduction
Coming soon...
Speaker
Coming soon...
Topic...
coming soon...
Time 2019/05/30
Introduction
Coming soon...
Speaker
Coming soon...
Schedule
05.30 DAY 1

08:00 - 09:00

On-site Registration

09:00 - 09:05

Welcome Speak

09:05 - 09:55

Topic...

09:55 - 10:45

Topic...

10:45 - 11:05

Break

11:05 - 11:55

Topic...

12:00 - 13:30

Lunch

13:30 - 14:20

Topic...

14:20 - 15:10

Topic...

15:10 - 15:30

Break

15:30 - 16:20

Topic...

16:20 - 17:10

Topic...

05.31 DAY 2

08:00 - 09:00

On-site Registration

09:00 - 09:50

Topic...

09:50 - 10:40

Topic...

10:40 - 11:00

Break

11:00 - 11:50

Topic...

12:00 - 13:30

Lunch

13:30 - 14:20

Topic...

14:20 - 15:10

Topic...

15:10 - 15:30

Break

15:30 - 16:20

Topic...

16:20 - 17:20

BaiJiuCon

17:20 - 17:30

Close

Hotel
555 Xi Zang Road(Middle),Huangpu District,Shanghai
Shanghai Marriott Hotel City Centre
2019/05/30 - 2019/05/31