NCC Group Research at Black Hat USA 2021 and DEF CON 29

This year, NCC Group researchers will be presenting 10 presentations at Black Hat USA (2 Briefings, 2 Arsenal tools, and 6 training sessions), and 7 presentations at DEF CON 29 (2 main track talks, 3 Demo Labs, and 2 Village talks).

A guide to these presentations (abstracts, dates, and links) is included below. We will also update this post with any additional presentations as they are accepted and announced.

Virtually or in-person, we hope you will join us!

Black Hat USA 2021

  • Sleight of ARM: Demystifying Intel Houdini (Brian Hong, NCC Group)
  • Securing Open Source Software: End-to-end, At massive scale, Together (Jennifer Fernick, NCC Group & Christopher Robinson, Intel)
  • Principal Mapper (PMapper): A Tool for Identifying Unique AWS Account/Organization Permissions Risks (Erik Steringer, NCC Group)
  • Solitude: A Privacy Analysis Tool (Dan Hastings, NCC Group)
  • Mastering Container Security V5: Black Hat Edition (Iain Smart & Divya Natesan, NCC Group)
  • Secure Coding in C and C++ (Robert C. Seacord, NCC Group)
  • Bad Active Directory (Dhruv Verma, Michael Roberts, & Xiang Wen Kuan, NCC Group) – offered twice
  • Offensive Cloud Security (NCC Group) – offered twice

DEF CON 29

  • Sleight of ARM: Demystifying Intel Houdini (Brian Hong, NCC Group)
  • Instrument and Find Out: Writing Parasitic Tracers for High(-Level) Languages (Jeff Dileo, NCC Group)
  • Principal Mapper (PMapper) – Mapping Privilege Escalation and More in AWS IAM (Erik Steringer, NCC Group)
  • Solitude: A Privacy Analysis Tool (Dan Hastings, NCC Group)
  • Depthcharge: A Framework for U-Boot Hacking (Jon Szymaniak, NCC Group)
  • Phish like an APT: Phenomenal pretexting for persuasive phishing (Sanne Maasakkers, Fox IT/NCC Group)
  • How Bias and Discrimination will have members of the Black community Incarcerated or Dead: (Tennisha Martin NCC Group)


Black Hat USA 2021


Sleight of ARM: Demystifying Intel Houdini

Brian Hong, NCC Group

Black Hat USA 2021 – Briefings

August 4-5 2021

ARM is taking over the computer industry. In recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. Most notable is Apple, which has supported the transition to ARM from x86 with a binary translator, Rosetta 2, which has recently gotten the attention of many researchers and reverse engineers. However, you might be surprised to know that Intel has its own binary translator, Houdini, which runs ARM binaries on x86.

In this talk, we will discuss Intel’s proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.



Securing Open Source Software – End-to-End, at Massive Scale, Together

Jennifer Fernick, NCC Group / Open Source Security Foundation
Christopher (“CRob”) Robinson, Intel / Open Source Security Foundation

Black Hat USA 2021 – Briefings

August 4-5 2021

Open source software is a significant part of the core infrastructure in most enterprises in most sectors around the world and is foundational to the internet as we know it. Consequently, it represents a massive and profoundly valuable attack surface. Each year more lines of source code are created than ever before – and along with them, vulnerabilities. Consequently, we are minting vulnerabilities faster than our current techniques can discover and remediate them. We haven’t yet seen the true potential of techniques for finding vulnerabilities at scale, and there are reasons to believe attackers may get there before we can.

The combination of distributed community-driven development, public-facing deobfuscated source code, inconsistent use of security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises around the world and of the internet itself means that the unique model that has made open source software projects and development lifecycles so impactful is also that which has historically made them difficult to secure. These are the problems we were aiming to solve with the creation of the Open Source Security Foundation.

In this presentation, we’ll share key lessons learned in our experience coordinating the industry-wide remediation of some of the most impactful vulnerabilities ever disclosed (Heartbleed, Shellshock, Rowhammer, and BlueZ), present a threat model of the many unmitigated challenges to securing the open source ecosystem, share new data which illustrates just how fragile and interdependent the security our core infrastructure can be, debate the challenges to securing OSS at scale, and speak unspoken truths of coordinated disclosure and where it can fail. We will also discuss research advances that are making it easier for adversaries to find and exploit vulnerabilities at scale, and offer guidance for how members of the security community can get involved and contribute meaningfully to improving the security of OSS – especially through coordinated industry-wide efforts.

This presentation will include the official launch announcement of Open Source Security Foundation’s (openssf.org) grant program for security research projects to help secure the open source ecosystem!



Principal Mapper (PMapper): A Tool for Identifying Unique AWS Account/Organization Permissions Risks

Erik Steringer, NCC Group

Black Hat USA 2021 – Arsenal (Mandalay Bay – Station 3)

Wednesday, August 4 | 12:40pm-1:50pm
Thursday, August 5 | 10:00am-10:50am
Thursday, August 5 | 1:00pm-2:00pm

Principal Mapper (PMapper) is an open source tool and library for assessing AWS IAM and AWS Organizations for security concerns, such as privilege escalation and resource isolation. It tracks and identifies the different ways that one given IAM User/Role (Principal) could pivot to other IAM Users or Roles by reviewing all applicable IAM Policies. After gathering this data, PMapper can perform additional analysis, querying, and visualization.

The querying and analysis systems of PMapper goes beyond checking if a principal is authorized to make a specific AWS API call. It will check if the principal can go through other principals to make a specified AWS API call. In a real-world example: if a user is not authorized to get an S3 object, PMapper also checks if the user can run an EC2 instance with a role as a means of bypassing that restriction. This means that PMapper tells you the effective permissions of each IAM User and Role, and the impact of the extra access you may grant to those principals.



Solitude: A Privacy Analysis Tool

Dan Hastings, NCC Group

Black Hat USA 2021 – Arsenal (Virtual)

Thursday, August 5 | 2:00pm-3:00pm

Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone.

Unfortunately, privacy policies are often difficult to understand when trying to identify how your private data is being shared and whom it’s being shared with. As we have seen through research, privacy policies don’t always tell the complete truth of what an apps actual data collection practices are. Solitude was built to help give more transparency to users of where their private data
goes. Solitude makes the process of proxying HTTP traffic and searching through HTTP traffic more straightforward. Solitude can be configured to look for any type of data that you input in a mobile or web application and reveal where that data is going. The application inspects all outbound HTTP traffic, looks for various hashes of your data and recursively decodes common encoding schemes (base64,URL).



Mastering Container Security V5 – Black Hat edition

Iain Smart & Divya Natesan, NCC Group

Black Hat USA 2021 – Trainings

August 2-3 2021

Containers and container orchestration platforms such as Kubernetes have become a common feature of company’s IT platforms, but how do they really work and how can you attack or secure them?

This course takes a deep dive into the world of Linux containers, covering fundamental technologies and practical approaches to attacking and defending container-based systems such as Docker and Kubernetes.

In the 2021 Blackhat Edition of the course we’ve enhanced our core content with the latest in attack and defence from the container world based on the expertise of NCC’s Container Orchestration Security Services Team.



Secure Coding in C and C++

Robert C Seacord, NCC Group

Black Hat USA 2021 – Trainings

July 31-August 3 2021

Secure Coding Training in C and C++ is a four-day course that provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. This course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries.



Bad Active Directory (BAD)

Dhruv Verma, Michael Roberts, & Xiang Wen Kuan, NCC Group

Black Hat USA 2021 – Trainings

Session #1, July 31 – August 1 2021Session #2, August 2-3 2021

Bad Active Directory (BAD) is a beginner-to-intermediate level training for hacking Windows Active Directory. The hands-on CTF-like exercises we offer aim to simulate real traffic, and the challenges are deployed in AWS. By presenting a realistic exploit chain (minus covert techniques), users will learn about various types of vulnerabilities within an Active Directory environment and how to exploit them, employing different tools and tricks to pivot across machines towards achieving the privileges of Domain Admin.

This training consists of four lab modules based on real attacks we’ve performed on client environments, and each lab would imitate how modern networks look. Each attendee will have access to their own environment, credentials for which will be distributed via a web application. Within each environment, there would be two test machines (a linux host, and a windows host), which the attendees can use to perform the test. All required tools will be pre-installed.



Offensive Cloud Security

NCC Group

Black Hat USA 2021 – Trainings

Session #1, July 31 – August 1 2021Session #2, August 2-3 2021

While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focusses on applied exercises. 

Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for abuse. Throughout the training, we will also cover detection and mitigation of the attacks covered in the course.

The training is structured as a sequence of scenarios, which mix theory and practical exercises. The theory is imparted gradually, and attendees are be given time to think for themselves and work through the exercises.



DEF CON 29


Sleight of ARM: Demystifying Intel Houdini

Brian Hong, NCC Group

DEF CON 29 (Main Track)

August 5-8 2021

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. However, you might be surprised to know that Intel has long supported ARM to x86 transition with their binary translator, Houdini, which runs ARM binaries on x86.

In this talk, we will discuss Intel’s proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis.



Instrument and Find Out: Writing Parasitic Tracers for High(-Level) Languages

Jeff Dileo, NCC Group

DEF CON 29 (Main Track)

August 5-8 2021

Modern programming languages are, more and more, being designed not just around performance, ease-of-use, and (sometimes) security, but also performance monitoring and introspectability. But what about the languages that never adopted such concepts from their peers? Or worse, what about the languages that tacked on half-hearted implementations as an afterthought? The answer is simple, you write your own and instrument them into the language dynamically.

In this talk, we will discuss the process for developing generalized parasitic tracers targeting specific programming languages and runtimes using Ruby as our case study. We will show how feasible it is to write external tracers targeting a language and its runtime, and discuss best practices for supporting different versions over time.



Depthcharge: A Framework for U-Boot Hacking

Jon Szymaniak, NCC Group

DEF CON 29 – Demo Labs

August 5-8 2021

In modern embedded systems that implement a “secure boot” flow, the boot loader plays a critical role in establishing the integrity and authenticity of software and data required to boot an operating system. Given the role and vantage point of boot loaders, they are a particularly interesting target for hardware hackers seeking to root a device and instrument it for further vulnerability hunting and reverse engineering. Although the vast majority of devices leveraging the ubiquitous and open source U-Boot boot loader leave it unprotected and trivially exploited, more product vendors are finally implementing secure boot and (attempting to) lock down their U-Boot builds. These less common specimen offer exciting opportunities to pursue creative bypasses and explore underappreciated U-Boot functionality.

The Depthcharge framework was developed to help hardware hackers methodically (ab)use some of that underappreciated U-Boot functionality in novel ways to circumvent boot-time protections, as well as expedite the identification and exploitation of “the usual suspects” within exposed U-Boot device consoles. The project includes a Python 3 library for interfacing with devices, reading and writing memory via available primitives, deploying executable payloads, and analyzing various data structures. A collection of scripts built atop of library make this functionality readily available via the command line, and “Depthcharge Companion” firmware allows the tooling to extend its vantage point by presenting itself as a peripheral device connected to the target. This Demo Lab will introduce the basics of Depthcharge and explore how attendees can leverage and expand upon it when seeking to circumvent boot-time protections or just to further explore a system from within the U-Boot environment. For those wishing to protect their (employer’s) products from fellow DEF CON attendees, we’ll also cover the configuration checker functionality that can be used to avoid common U-Boot pitfalls.



Solitude: A privacy analysis tool

Dan Hastings, NCC Group

DEF CON 29 – Demo Labs

August 5-8 2021

Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone without the need for time-consuming app instrumentation and analysis, which we’ve abstracted away from the user.

Privacy policies are often difficult to understand when trying to identify how your private data is being shared and with whom it’s being shared. My previous research1 has even shown that privacy policies don’t always tell the truth of what an app’s actual data collection practices actually are. What’s more, prior to Solitude, tooling to find this out efficiently didn’t exist for security researchers, let alone nontechnical users. Solitude was built to help give users more transparency to understand where their private data goes by the process of proxying HTTP traffic and inspecting HTTP traffic more straightforward, and can be configured to look for arbitrary datatypes captured by a mobile or web application. In its early release, this tool has already been used by journalists to help investigate privacy abuses by mobile app vendors.




Principal Mapper (PMapper) – Mapping Privilege Escalation and More in AWS IAM

Erik Steringer, NCC Group

DEF CON 29 – Demo Labs

August 5-8 2021

Principal Mapper (PMapper) is an open-source tool and library for assessing AWS IAM and AWS Organizations for security concerns, such as privilege escalation and resource isolation. It tracks and identifies the different ways that one given IAM User/Role (Principal) could pivot to other IAM Users or Roles by reviewing all applicable IAM Policies. After gathering this data, PMapper can perform additional analysis, querying, and visualization.

The querying and analysis systems of PMapper goes beyond checking if a principal is authorized to make a specific AWS API call. It will check if the principal can go through other principals to make a specified AWS API call. In a real-world example: if a user is not authorized to get an S3 object, PMapper also checks if the user can run an EC2 instance with a role as a means of bypassing that restriction. This means that PMapper tells you the effective permissions of each IAM User and Role, and the impact of the extra access you may inadvertently grant to those principals



Phish like an APT: Phenomenal pretexting for persuasive phishing

Sanne Maasakkers, Fox IT/NCC Group

DEF CON 29 – Adversary Village

August 7 2021, 13:30 pm PDT

Have you ever wondered what phishing strategy real world APTs use? And how these compare with the scenarios that you use during your Red Team / social engineering activities? If you did, you probably found out that there’s a lot of research about APT techniques, tactics and procedures, like the use of specific malware or attack vectors, but there are not many public resources on which techniques those attackers actually use to convince a non-suspecting person to aid them in their operation. In this talk an analysis is presented of hundreds of phishing emails that were used in real campaigns. All characteristics of an email, like the method of influence, tone of speech and used technologies are classified and measures how well a phishing campaign is designed, scoring from “obvious spam” to “near-realistic original mail”. By comparing and measuring the state of these phishing emails, we can learn more about how certain groups operate and how much “effort” they put into their scenarios. This is important knowledge for both attackers and defenders. If you want to know how to phish like you’re an APT, then this talk is for you. Spoiler alert: you might already be a better phisher than these groups.


How Bias and Discrimination will have members of the Black community Incarcerated or Dead

Tennisha Martin, NCC Group

DEF CON 29 – Blacks in Cyber Village

August 5-8 2021

This talk focuses on algorithmic analysis and machine learning in the healthcare and criminal justice settings. Algorithms make a lot of important decisions including selecting candidates for a particular residency in medical school, tests that identify skin cancer in patients or determining the sentencing recommendations for people convicted of a crime. The outcome of these decisions includes impacting the number of people (or people of color) in certain specialties, failing to identify skin cancer in people of color and recommending longer sentences for black people and in particular black men. Studies have been shown that bias in algorithms has a wide-ranging impact, especially in the areas of clinical decision support and in criminal justice. Clinical decision support is integrated into electronic health records around the world and are used to establish things like best practices, medication guidelines, and prioritization of patients. The idea behind clinical decision support is that the algorithms are used based on aggregated data to help health care providers provide a standard of care. The reality, however, is that there is a thin line between the algorithms acting as the basis for recommendations and them acting autonomously. The aggregation of data and the formulation of algorithms by a largely homogeneous population results in bias and discrimination against people of color.  In criminal justice, the racial impact of predictive policing is that black people serve longer times in jail. In healthcare, the impact of algorithmic bias results in poorer health outcomes, and failure to diagnose and treat patients of color. The result is that bias and discrimination in artificial intelligence will have members of the Black community incarcerated up or dead.

[Editor’s Note: This post updated July 13th with addition of Sanne Maasakkers’ presentation, and July 14th to include Tennisha Martin’s presentation.]