After a few years without attending conferences, I returned to attend in 2024. I participated in the Null Byte Security Conference in Salvador, H2HC in São Paulo, and CCC (38c3) in Hamburg, Germany. In this blog post, I comment on my experience at these conferences, the presentations I watched, and other points I consider relevant to share.
10th Edition of the Null Byte Security Conference
The 10th Edition of the Null Byte Security Conference took place on November 30, 2024, in Salvador, Bahia. The Null Byte Security Conference was the only conference I was still attending. After the pandemic, I don’t recall participating in any other conference besides Null Byte. The conference is held in the city where I reside and is organized by my friends. I even gave a presentation at the event in 2024. The slides are already available, but for those who haven’t seen them and are interested, you can find it here.
Regarding the talks, I ended up watching only one: Thayse Solis’s presentation, as it was the presentation preceding mine. Thayse’s presentation was titled: Binary Reversing and Exploitation: A Case Study on Egg Hunting. It was a very good presentation. She presented with excellent didactics, carefully explaining every detail. There were some questions at the end of the presentation, so I believe the audience liked it as well.
My presentation was titled: The Importance of Methodology for Information Security Research. I chose a topic that could be of interest to everyone present. Vulnerability exploitation, debugging, kernel, and low-level subjects are cool and interesting, but I preferred a theme that could be interesting to everyone, regardless of experience level. In the end, some questions were asked, and the feedback I received, even after the event, was positive.
The conference overall was very good. This edition was held in a different location. Initially, I would have preferred the previous location where several editions had already taken place, and I believe the majority of the audience was already used to it. However, in the end, I can say that this new location was interesting. At least for me, I had cool experiences. The reason I attend events, besides the technical content, is to reunite with and make new friends, and in this edition, the social interaction was quite satisfactory. There was a moment when a conversation circle formed, with several people sharing experiences, talking, laughing, and of course, having fun. Photos of the event are available here.
21st Edition of the Hackers to Hackers Conference (H2HC)
The 21st edition of the Hackers to Hackers Conference (H2HC) took place on December 14 and 15, 2024, in São Paulo. My initial plan was to watch the greatest number of presentations I could; however, this is out of my control. I managed to watch some but missed several that I would have loved to see. The H2HC presentation agenda is always of a very high level. I dare say that the level is much higher than many international conferences.
The conference in general is well organized, with simultaneous lectures, diverse activities, and interesting people; however, it has grown a lot compared to the last edition I attended. This time it was visible, at least on the first day, that the event was very crowded. Some people reported discomfort. I like to talk and meet people, and in the last edition of H2HC I attended, before the pandemic, I felt like the John Travolta meme. I spent time walking back and forth without finding people I knew or making new friends. Although in the end I did find some people and made new friendships, I returned home with the feeling that the conference had grown and I hadn’t kept up with that growth, resulting in few social interactions. Furthermore, a relevant number of people I used to meet at events apparently no longer participate.
This time was very different, and that is one of the reasons I couldn’t see the vast majority of the presentations I had planned. I reunited with friends, met people, and interacted with some international speakers. Overall, in this edition, my social experience at H2HC was quite pleasant.
Well, I arrived early to try to get a good seat to watch Gerardo Richarte’s keynote presentation, but when I arrived, the line to pick up credentials was very long, and that worried me. Fortunately for me, the event was delayed a little, and at least on the first day, the presentations started a bit later. I got my credentials and waited comfortably for the presentation, in the front rows, of course. Unfortunately, it seems that the conference has not yet made available the videos and some slides of the presentations I watched, and for this reason, I cannot write about all the important points. I will comment only on what I can remember at the time of writing this blog post. I can update it if I find the materials or remember something relevant.
Keynote: 30+ years of exploiting things – Gerardo Richarte
Gerardo Richarte was one of the reasons for my presence at this edition of H2HC. I have been performing vulnerability research/exploitation for some time, and Gerardo Richarte is an important person in the area. He presented and wrote articles, many years ago, on vulnerability exploitation techniques that can still be considered interesting. Today, Gerardo Richarte is the co-founder and Chief Innovation Officer of Satellogic, a company specializing in Earth observation satellites. His presentation was titled: 30+ years of exploiting things.
Before the presentation started, with the room still empty, I saw him sitting, waiting for the time to start his presentation. I then took the opportunity and went to talk to him. An important moment for me, being able to meet him in person and chat a bit. The presentation was very really great.
Gerardo Richarte started talking about his time at Core Security, a company specializing in consulting and vulnerability research, located in Buenos Aires, Argentina. Core Security was acquired in 2019 by HelpSystems. When I started my career in information security, Core Security was a company that stood out and was a source of inspiration. I read and followed everything I could related to the company and its researchers.
During the presentation, he discussed the impact of vulnerability exploitation work nowadays and then spoke about the work at Satellogic. Two important points mentioned during the presentation were about the use of his hacking knowledge at Satellogic. During a deployment process, something went wrong, and he needed to recover access to the satellites. Another point, if I understood correctly, is the use of hacking to lower costs. Specialized GPS equipment for aerospace activities has a high cost. From what I understood, through his hacking knowledge, it was possible to reuse conventional GPS, lowering costs.
Gray matter and Zero-Days: Outwitting Cognitive Decline in VR – Nigel Ploof
This presentation was also very good. Nigel spoke about cognitive decline, its influence on vulnerability research (VR), and how we can reduce the impact on a vulnerability research career. The presentation was divided into roughly three parts: The introduction where he started talking about research relating to cognitive decline and aging, how we can reduce the impact of decline as we age, and finally, he spoke about his work methodology.
At one point during the presentation, Nigel Ploof spoke about the balance between emotion and capacity. Young people are more emotional and are at their peak cognitive capacity. As adults, we begin to decline but control our emotions better. He also spoke about the influence of physical activities on professional performance and that a large part of the researchers he knows do physical activities, predominantly running. I, curiously, am preparing a blog post about my experience with running—an activity I started in 2024 and lately comment on quite a lot with friends and close people regarding the impact on my career (blog post is published here). Today I feel much better cognitively speaking, especially regarding memory. I wouldn’t trade the Anderson of today for the Anderson of 10 years ago.
A detail, probably irrelevant to everyone else but which caught my attention, was when Nigel was talking about a point in his methodology and mentioned the acronym FAFO (Fuck Around and Find Out). I didn’t know this expression and curiously, after watching the presentation, I have seen this expression in several places, social media, in a presentation at CCC, and even American President Trump using it.
At the end of the presentation, I asked about evidence demonstrating morphological changes in the brain and the association of these changes with cognitive decline. From what I remember of the answer, he said he didn’t have or perhaps didn’t know of any study with this theme. The reason for my question is that I believe this is not yet so well defined (at least the decline rate) in neuroscience. Of course, I do not have the knowledge or authority to speak on the subject, but as a curious person, I remember there is still a debate about this theme. In any case, many researchers and professionals from various fields of knowledge that I follow, even at advanced ages, seem to demonstrate high cognitive capacity. If these people can maintain themselves at a high level, perhaps it is not a fact that everyone will decline cognitively to the point of greatly affecting our performance as researchers. I contacted Nigel via X requesting the slides to be able to write better about the presentation, but unfortunately, I haven’t received a response yet.
False Injection – Tales of Physics, Misconceptions and Weird Machine – Christofaro Mune
This was the keynote of the second day and it was excellent. Honestly, I expected different content based on the title, but upon watching the presentation, I left quite satisfied. Hardware and fault injection are not normally subjects of my interest, but it is nonetheless interesting content. Although from a different perspective, this presentation touched on several points that I usually talk about on a daily basis.
The presentation was very (very) good; I would say at a level of excellence. At the beginning of the presentation, Christofaro Mune starts talking about the benefit of including physics in our computational model. This is an interesting topic. I have been mentioning that in my opinion, the future of vulnerability research will involve much more hardware and physics than we usually talk about nowadays. In a training I taught last year, in the last module, I discoursed a little about my vision of the future and I commented on these points. We have seen interesting vulnerabilities and attacks recently, such as Rowhammer and processor vulnerabilities that require a high level of understanding of chip internals.
He discussed some assumptions in the area of fault injection and that after performing some experiments, it was discovered that some of these assumptions were wrong. I was happy to see someone respected mentioning this theme. I follow science in a certain way and talk about it on a daily basis with friends and acquaintances, and one of the important points I notice is that many have various assumptions about how things work that are not true. From basic assumptions in biology, mathematics, and even about how science is done in practice. Although I am not involved in any of this, I spend a large part of my time following scientists, both in books, blog posts, and on social media. And yes, there is a lot of bad science and many assumptions that, even if believed by thousands or millions of people, are wrong. The same happens with vulnerability research and the information security area. In the presenter’s own words, we can see in the image below some assumptions that he debunks after performing experiments.
A point shown in the presentation that might be interesting for me professionally is the mitigations intended to protect against physical attacks like fault injection. I was unaware of these mitigations. An example mentioned is the use of fault injection to cause a certain code to be ignored, such as signature validation. A mitigation implemented in code aiming at protection against these attacks is code duplication. Performing signature validation several times. As I believe anyone involved with vulnerability research imagines, these mitigations are not effective. If through fault injection it is possible to make certain code not execute, then it doesn’t matter the amount of code; it will be (likely) possible to skip all of them. Christofaro also mentioned in his presentation the power of data visualization and that apparently, these techniques are not much used by professionals and researchers in the field.
There were interesting interactions during the presentation, with comments from the illustrious Sergey Bratus and others. Although the title had “Weird Machine”—and that was the point that most interested me initially to see the presentation—the concept was not presented and discussed directly, as I would have liked to see. The slides are available here.
What every hacker should know about TLB invalidation – Pawel Wieczorkiewicz
This was the presentation I couldn’t miss. I know the work of Pawel Wieczorkiewicz and the company he works for, Open Source Security, popularly known as grsecurity. Open Source Security offers excellent security through patches for the Linux kernel. The slides are available here.
The focus of the presentation was on TLB invalidation, and it was divided into three parts: An introduction to the concept of the TLB, a problem they had when implementing a feature in the Linux kernel, and finally, a bug in an instruction to invalidate the TLB in Intel processors reported to FreeBSD developers.
TLB is an acronym for Translation Lookaside Buffer. This is a cache of address translations existing in processors. In computing, there is the concept of virtual addresses and physical addresses. There is a table in memory that translates a virtual address to a physical address; however, this translation process is costly, and that is why the TLB exists to store this mapping more quickly. TLB invalidation and management are very important in operating system development and also for information security researchers focused on operating systems.
Pawel’s presentation began with an introduction to the TLB and related resources. Some details perhaps not so popular (paging-structure caches), quirks, conditions under which invalidations should and should not be done, and how to perform them. This part of the presentation was very well done, including details that usually only those who need to understand well how these resources work in practice know. An important detail to mention here is that even though there is detailed documentation on how processors work, in some situations, there are bugs or behaviors not described, and therefore, only those who need to interact at this level of abstraction usually understand and encounter these scenarios.
Then, a bug was mentioned when implementing the private stacks feature in grsecurity, called PRIVATE KSTACKS. The problem is mentioned in the following slide:
As described in the slides, a rare page fault exception #PF happened when it shouldn’t, and some details are relevant, such as occurring only in E (Efficient) cores and in new Intel processors of the Alderlake family. In new processors, there are two types of cores, P for performance and E for efficiency. The problem happened because a page table structure continued to be stored in the cache even when it shouldn’t, in theory, and this led the processor to access an invalid address, resulting in a spurious page fault. As already mentioned, the problem happened only in E cores in Intel processors of the AlderLake family. The solution, apparently, was to guarantee that this specific cache was cleared for the desired address through the invlpg instruction. As can be seen in the image I included below, besides the TLB, there are some specific page table caches, and they are caches related to the problem.
The summary of the problem is described by Pawel himself in the slide below:
The presentation up to this moment had already been excellent, but Pawel didn’t stop there. In the third and final part of the presentation, a problem in the implementation of the invlpg instruction in Intel processors was presented. The problem was mentioned publicly in a FreeBSD issue. Initially, it seemed like the problem they had due to some similarities, but after an in-depth investigation, even though they had things in common, they are actually two distinct problems, as he concludes in the penultimate slide. Intel confirmed it is a processor bug and issued an errata.
I conducted research with TLB in the past and even mentioned my experience in my slides in a simplified way for the audience at Null Byte conference. Processors and their resources are quite complex, and experimentation, regardless of the reason, is very important to consolidate knowledge and really learn how things work. Talking to Pawel, I mentioned that before conducting my research, I thought I understood well how things worked. He laughed and commented that he also had that thought before the work for the identification and solution of the problem they had.
Pawel’s presentation was excellent. It alone guaranteed me a great experience at the event, and I hope others present also had a bit of this feeling. The content was very well presented and of the highest level. An extraordinary opportunity for us Brazilians to appreciate content of this level of quality and originality.
CCC 38c3
The congress, as always, is super organized. The space is large, comfortably supporting tens of thousands of people. Food is still one of the bad points for me, but perhaps an exception for a few days isn’t so bad. I stayed at the hotel close to the convention center where the event was held, and this facilitated many things. It allowed waking up later, resting when necessary, and a good breakfast. I arrived a day early, picked up my wristband easily and quickly, walked around the event venue to scout it out, and returned only the next day. Let’s go to the presentations.
ACE up the sleeve: Hacking into Apple’s new USB-C Controller – Thomas Roth (Stacksmashing)
This was the first presentation I watched and perhaps the best. I knew the presenter from Twitter / X, but I had no idea who he was, much less his work. I follow many people, and although I know they are involved with hacking and information security, for the vast majority of people and professionals I follow, I would hardly be able to comment directly on their work. This was the case with Thomas Roth, popularly known as stacksmashing.
The presentation was about a microprocessor present in Apple devices, such as MacBooks and iPhones, responsible for managing the USB-C port. The device is known as ACE3 in more modern devices. In fact, the ACE3 manages much more than just USB-C commands. One of the mechanisms also present in this microprocessor is a debug feature. In older devices, there is a previous version of the microprocessor, known as ACE2. The presenter wrote code and designed a cable for the ACE2 that works with the Lightning port of previous Apple device models and had success hacking the devices to achieve arbitrary execution on this microprocessor. However, he had not yet managed direct access to the ACE3, and this version presents challenges that did not exist in the previous version. The presenter spoke about the differences between the microprocessors and how he managed to obtain code execution on the ACE3. This was a fantastic presentation, both for the level of content and the presentation skill.
https://media.ccc.de/v/38c3-ace-up-the-sleeve-hacking-into-apple-s-new-usb-c-controller
From Pegasus to Predator – The Evolution of iOS Commercial Spyware – Matthias Frielingsdorf
This presentation was really cool. It surprised me. Initially, I thought it would be a presentation only about the political side, but it was exactly the opposite. The focus of the presentation was the technical details. Matthias Frielingsdorf presented on the technical evolution of commercial spyware for iOS. How did publicly discovered samples evolve over time and what were the main differences among them? Despite being an iOS user, I don’t follow the security events/incidents closely and learned a lot from this presentation. Unfortunately, the slides do not seem to be available, but the full video of the presentation can be found at the link below.
https://media.ccc.de/v/38c3-from-pegasus-to-predator-the-evolution-of-commercial-spyware-on-ios
Can We Find Beauty in Tax Fraud? – Martin
CCC is an interesting event mainly due to the diversity of presentations. This presentation, by a presenter named Martin, I found interesting. Tax fraud is a topic I always have an interest in learning more about. I read books and follow what I can related to the subject. I believe it is a very interesting way to better understand the world, laws, and especially how people think.
The presentation was delivered in a way that apparently did not please everyone. At least one person I met during the event who also watched the presentation informed me that they didn’t like the way the presentation was done. One of the reasons was the presenter reading the slides. For me, this is not as relevant a factor as it apparently is for most people. I don’t care about the slides or if the presenter is reading. What I consider more relevant is the content, and I believe this presentation had a lot of interesting things. I would like to have the slides and save them to read calmly; however, I found only the videos. There were some interesting questions at the end and even more interesting were the presenter’s answers. Well, I won’t speak much about the presentation, but the link to the video is here:
https://media.ccc.de/v/38c3-can-we-find-beauty-in-tax-fraud
BlinkenCity: Radio-Controlling Street Lamps and Power Plants – Fabian Bräunlein and Luca Melette
This was the last presentation I watched at the conference. It is not a subject that interests me, regardless of being interesting to many. Hacking for me is not just about being cool; I have an interest directly related to my work or with what I like to consume. I probably watched this presentation only because the people who were with me wanted to see it. However, I was not disappointed.
The presentation was sensational; the presenters demonstrated great poise in public speaking. The hacking done by them was cool, with a high impact, fun, creative, and had an interesting part about physics. They discovered how to control street lamps and power plants in Germany. The link to the presentation video is below:
https://media.ccc.de/v/38c3-blinkencity-radio-controlling-street-lamps-and-power-plants
General Opinion on CCC
All presentations, at least the ones I have watched—not only in this edition but also in previous ones—seem to be of the highest level, ranging from technical excellence to the presentation itself. Some people commented to me directly at the event saying that some presentation could have been better presented, but for me, overall, all that I watched were very good. There are four days of the event, with some presentations happening until 00:00. Yes, midnight and there are still presentation, as can be seen in the agenda. Being in Europe is a relevant point for me to attend the conference. I always take the opportunity to take a vacation and travel. Usually, I go to conferences in locations where I decide to spend a few days, and Germany is a place I always like to be.
Opportunities
At large and important events like CCC, great opportunities occur to meet people who perform important work in the security and information technology area. For me, working with low-level systems, there are always presentations and important people circulating through the event.
Negative Points
A negative point of the event, which does not apply directly to me but I see many commenting on with a negative connotation, is the date it is held. The event has a fixed date and always happens right after Christmas, from December 27th to 30th. Because it is December and in Europe, the event occurs in winter, and this also bothers many people. Another negative point is food, as I already mentioned. There are not many options for healthy eating at the event, having to travel to the city to find more interesting options. During the event, restaurants in the region end up getting full, sometimes making it difficult to find an option.
Conclusion
Overall, CCC is an extraordinary conference. I am usually very happy to be present and able to attend a conference of the size and relevance of CCC. It is a great option for anyone who wants to attend a conference of great global importance, in Europe, make friends, perhaps hack a little in the CTF, and get to know the city of Hamburg.