We’re excited to announce the third installment of the Fastly Security Speaker Series. Fastly will bring some of the most innovative and thoughtful security researchers to San Francisco to share their work. Speakers include Alex Bazhaniuk, of Eclypsium, Inc. and Stephen Checkoway, whose most recent papers include: A Systematic Analysis of the Juniper Dual EC Incident, Run-DMA and On the Security of Mobile Cockpit Information Systems.

We invite you to join us for drinks, snacks, and a few hours of excellent security discussion on Thursday, Oct. 26 at 6pm PT.

Talk 1: Alex Bazhaniuk of Eclypsium, Inc.

Oleksandr Bazhaniuk (@ABazhaniuk) is an independent security researcher. In the past a member of the Advanced Threat Research team and Security Center of Excellence (SeCoE) at Intel Inc. His primary interests are low-level security, hardware and firmware security, exploitation and automation of binary analysis. His work has been presented at many conferences, including Black Hat, Recon, DefCon, CanSecWest, Troopers, USENIX. He is also a co-founder of DCUA, the first DefCon group in Ukraine and ctf team.

Exploring Your System Deeper

Ever wanted to explore deep corners of your system but didn't know how? This could include system boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors — you could discover if any of these have known vulnerabilities, configured insecurely, or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective the platform security defenses are: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has. CHIPSEC framework can help you with all of that. Since its release at CanSecWest 2014, significant improvements have been made in the framework — from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images, and more.

Talk 2: Stephen Checkoway, Assistant Professor at University of Illinois at Chicago

Stephen Checkoway is an Assistant Professor in the Department of Computer Science at the University of Illinois at Chicago. Checkoway's research interests are in embedded and cyber-physical systems security with a focus on
the role of network security in those domains. His recent work includes passive attacks on TLS and IKE implementations using backdoored random number generators. Checkoway's past work includes demonstrating vulnerabilities in electronic voting machines, modern automobiles, laptop webcams, and X-ray backscatter, full-body scanners. Checkoway received his Ph.D. in Computer Science from the University of California, San Diego in 2012 and spent three years as an Assistant Research Professor at Johns Hopkins University prior to joining the University of Illinois at Chicago.

The Juniper Dual EC incident

In December 2015, Juniper Networks announced that unknown attackers had added unauthorized code to ScreenOS, the operating system for their NetScreen VPN routers. This code created two vulnerabilities: an authentication bypass that enabled remote administrative access, and a second vulnerability that allowed passive decryption of VPN traffic. Reverse engineering of ScreenOS binaries revealed that the first of these vulnerabilities was a conventional back door in the SSH password checker.

The second is far more intriguing: a change to the Q parameter used by the Dual EC pseudorandom number generator. It is widely known that Dual EC has the unfortunate property that an attacker with the ability to choose Q can, from a small sample of the generator’s output, predict all future outputs. In a 2013 public statement, Juniper noted the use of Dual EC but claimed that ScreenOS included countermeasures that neutralized this form of attack. In this talk, Stephen Checkoway presents the results of a thorough independent analysis of the ScreenOS randomness subsystem, as well as its interaction with the IKE VPN key establishment protocol. This work sits at the intersection of cryptography, protocol design, and forensics, and is a fascinating look at a problem that received a great deal of attention at the time but whose details are less well known.

Fastly Security Speaker Series: Part 3