Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


recommend some topics at c3 hacker conference this year

Posted by loope at 2020-04-09

In recent days, the 35th chaos communication congress (35c3) hacker conference held in Germany has been very popular on twitter, but no one in China.

It can be seen from this that the security circle atmosphere of the same microblog is totally different. Sina microblog is more entertaining, and the foreign circle is naturally much larger than that of the Chinese, and people from many countries communicate on it.

So, I often mix twitter now, as a way to get security information, Sina Weibo is really a news reader

C3 chaos hacking conference in Germany

The chaos communication congress (C3) is a hacking conference held in Germany every year. Its literal translation is "chaos communication congress", which is usually called "C3" in the circle. This year is the 35th session, so it's called 35c3. There's also a CTF competition this year. Some people who have played pwn2own have given some questions about the actual loopholes of the browser, which is also of practical value.

Every year, the conference will share various topics in the way of speech video. Previously, most of them focused on radio security, so some 2G \ 3G \ 4G SMS and phone hacking often come from the conference. There are also some good software security related issues this year. Here are some topics that I think are good.

From Zero to Zero Day

At the conference, there was a topic called "from zero to zero day". The speaker was a senior high school student. He talked about his own experience in a year, from no security foundation to the first edge browser Remote Code Execution Vulnerability.

In summary:

1. Learning programming languages (C / C + +, ASM, etc.)

2. Learning operating system principles

3. Learn the principles of common binary vulnerabilities

4. Call CTF and write up

5. Learn and practice to analyze real vulnerability cases, that is, directly look at the code and adjust the code

6. Repeat the exercise

I post some key screenshots directly, and I recommend you to listen to them (video link:

Attack Chrome IPC

This topic was previously discussed by the author at the Korean POC conference, and published on the Internet PDF ( Korean POC security conference / ned. PDF), mainly about his previous use in hack2win bevx hacking contest to hack out the IPC vulnerability of Chrome browser. For the speech video of C3 conference, please refer to:

In this topic, the author introduces some learning and research methods of binary vulnerability, such as code audit and CTF. He also introduces his security research in recent years, which is more grounded than the popular way of crash + CVE in China.

Finally, it introduces how to use libfuzzer + libprotobuf mutator to fuzz chrome IPC, and the open source fuzzer code is incorporated into the project.

Jailbreaking iOS From past to present

Speaking about the history of IOS jailbreak, you can learn the principles of various security mechanisms and bypass methods on IOS, draw many schematic diagrams, which are easy to understand. For those who want to know the development of IOS jailbreak technology, this is really a good material.

The author also released PDF and video on the push:



The whole topic focuses on the following points:

Type of escape (imperfect escape, perfect escape...)

Exploit mitigations (ASLR, iBoot-level AES, KPP, KTRR, PAC)

Kernel patches (h3lix)

Kppless jailbreaks

The future trend of prison break

Ret2 company shares the method of how to find the attack surface of WebKit and fuzz, which is based on JS fuzzer written by Dharma syntax generation framework of Mozilla security, and how to analyze the code coverage problem by using IDA + lighthouse open source plug-in (it is developed by ret2 team and has won the second prize of IDA plug-in competition).

In addition, it also introduces how to use Frida to hook Mach ﹣ msg to fuzzy windowserver, and finally uses the vulnerability of windowserver to implement root privilege.

They also shared a lot of dry goods about vulnerability research on their blog (, and most of the content they shared this time came from some articles on the blog.

It also mentions the real world CTF competition in Changting.

Here's an interesting picture. I'll send it to you

Video link: layman's Guide to zero day Engineering

Modern Windows Userspace Exploitation

Video link: Windows? Userspace? Exploration

Microsoft MSRC people came to share some binary vulnerability exploitation methods under Windows platform, including ROP bypassing DEP, information disclosure bypassing ASLR, bypassing CFG, ACG, CIG, etc., and gave some on-site demonstrations, but it looks like some CTF problems. The relevant code of the demonstration has been put on the author's GitHub:

It's a summary of the principles and bypassing technologies of system vulnerability defense. Even the Microsoft rewards for bypassing various vulnerability mitigation mechanisms have been marked for you. In fact, it's a bit similar to the Windows version of the above topic of jailbreaking IOS.

Finally, I'd like to make a list of expand migrations:


Later, the official may continue to update the speech video, and you can follow the official twitter (@ c3voc_releases) to get information.

In addition, for students who are not good at English, you may as well have a try of "Tencent translation". Although the Chinese translation is not so accurate, you can also know the general idea by looking at the English words displayed: