Ang Cui

Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security.
Dr. Cui received his PhD from Columbia University in 2015. His doctoral
dissertation, titled ”Embedded System Security: A Software-based
Approach”, focused exclusively on scientific inquiries concerning the
exploitation and defense embedded systems. Ang has focused on developing
new technologies to defend embedded systems against exploitation. During
the course of his research, he has uncovered a number of serious
vulnerabilities within ubiquitous embedded devices like Cisco routers,
HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and
the inventor of Software Symbiote technology. Ang has received various
awards on his work on reverse engineering commercial devices and is also
the recipient of the Symantec Graduate Fellowship and was selected as a
DARPA Riser in 2015.


100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans

First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is
a proprietary hardware security module that is used in a wide range of
Cisco products, including enterprise routers, switches and firewalls.
TAm is the foundational root of trust that underpins all other Cisco
security and trustworthy computing mechanisms in such devices. We
disclose two 0-day vulnerabilities and show a remotely exploitable
attack chain that reliably bypasses Cisco Trust Anchor. We present an
in-depth analysis of the TAm, from both theoretical and applied
perspectives. We present a series of architectural and practical flaws
of TAm, describe theoretical methods of attack against such flaws. Next,
we enumerate limitations in current state-of-the-art offensive
capabilities that made the design of TAm seem secure.
Using Cisco 1001-X series of Trust Anchor enabled routers as a
demonstrative platform, we present a detailed analysis of a current
implementation of TAm, including results obtained through hardware
reverse engineering, Trust Anchor FPGA bitstream analysis, and the
reverse engineering of numerous Cisco trustworthy computing mechanisms
that depend on TAm. Finally, we present two 0-day vulnerabilities within
Cisco IOS and TAm and demonstrate a remotely exploitable attack chain
that results in persistent compromise of an up-to-date Cisco router.
We discuss the implementation of our TAm bypass, which involves novel
methods of reliably manipulating FPGA functionality through bitstream
analysis and modification while circumventing the need to perform RTL
reconstruction. The use of our methods of manipulation creates numerous
possibilities in the exploitation of embedded systems that use FPGAs.
While this presentation focuses on the use of our FPGA manipulation
techniques in the context of Cisco Trust Anchor, we briefly discuss
other uses of our bitstream modification techniques.

Hot Tub Island

Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.