The Presentations

Breaking the JavaScript ASLR

Ben Gras

This talk presents an ASLR-breaking side channel that exploits a fundamental property of the CPU architecture yet is exploitable from JavaScript. This means browser exploitation from JavaScript will be easier, as memory disclosure bugs are no longer needed to exploit bugs in the browser and JavaScript runtime. We have POCs for Firefox and Chrome. This side channel has been confirmed to be present in all 22 different microarchitectures that we tried - including many current-day Intel, AMD and ARM CPU microarchitectures.

More concretely, we are able to write malicious JavaScript code that is able to compute full 64bit virtual addresses of JavaScript data and code locations, as they are being looked up by the MMU, hence breaking the JavaScript ASLR. We do not rely on any software vulnerabilities to do this.

In this talk we detail the technical workings of this technique, revisiting some CPU architecture lessons as need be. We combine these to form this side channel. Then we discuss its implementation in Javascript, show its performance in some metrics, and show a video demo.

Reverse Engineering the Linear DX Wireless Security System

Mikhail Davidov

The Linear DX wireless protocol is as old as dirt and utilized in many physical security components like PIR sensors, bill traps, and door lock strikers. Here we will walk through the black box reverse engineering of the wireless signaling and destroy some of the vendor’s security claims by enumerating the entire key space. We’ll also clobber together a universal transmitter out of an existing remote and a BeagleBone Black capable of triggering some receivers in as little as 30 minutes and jamming other transmitters.

More presentations to be announced soon!