Mar 13, 2015
Qualcomm products mentioned within this post are offered by Qualcomm Technologies, Inc. and/or its subsidiaries.
I’m pleased to announce the lineup for Qualcomm Mobile Security Summit 2015. Following is a brief overview of the sessions/presentations. For more details, click the downloadable PDF at the bottom of this post.
Thursday, April 30, 2015 – Summit Presentations
Attackgraphy with Kyle Riley and Bernard Wagner
Kyle Riley and Bernard Wagner—a duo of MWR Labs winners of mobile Pwn2Own 2014—aim to engage you with a fresh perspective on how attackers are targeting Android devices. Various remote attack vectors will be discussed, ranging from leveraging application vulnerabilities through to advanced attack chains.
Digging for Android Kernel Bugs with James Fang and Sen Nie
Since Android 4.4, SELinux is enforced by default and efficiently mitigated threats from user space. However, by attacking kernel, an attacker can still obtain full system control. James Fang and Sen Nie of Keen Team will discuss the tools and methods they used to discover multiple kernel vulnerabilities in commercial devices.
Mobile Malware: A Network View with Kevin McNamee
Mobile devices are becoming the target of choice for cybercriminals. Kevin McNamee, director of Alcatel-Lucent’s Motive Security Labs, will provide an in-depth view on the mobile malware that is currently active on the Internet, how it is monetized and the impact it has on network resources and the user experience.
Testing WCDMA and LTE Mobile Stacks with Benoit Michau
With the development of more and more hardware and software projects related to wireless communications, it is becoming more affordable for auditors to test the implementation of 3G (WCDMA) and LTE mobile stacks and modems. Telecom industry veteran Benoit Michau will discuss the benefits of testing, using 2013/2014 examples when errors and bugs discovered while evaluating terminals against the basic procedures described in 3GPP standards.
Practical and Efficient Exploit Mitigation for RISC-based Embedded Devices with Collin Mulliner and Mattias Neugschwandter
Learn about a novel approach for exploit mitigation—from a pair of a security researchers—that is specifically tailored toward embedded systems that are based on the common RISC architecture. Their technique borrows ideas from several areas including control flow integrity, system call monitoring, static analysis, and code emulation, and combines them in a low-overhead fashion directly in the operating system kernel.
Android App “Protection” with Tim Strazzere and Jon Sawyer
The Android ecosystem is full of interesting types of “protection” for applications; packers, obfuscators, and tools to mangle everything in between. Tim Strazzere, lead research and response engineer at Lookout Mobile Security, and Jon Sawyer, CTO of Applied Cybersecurity LLC, intend to discuss the characteristics of these protections, how to both implement and defeat them, and the usage and prevalence of these tactics in the wild.
Android Security State of the Union with Adrian Ludwig
The world of security is riddled with assumptions and guesses. Using data collected from hundreds of millions of Android devices, Adrian Ludwig will establish a baseline for the major factors affecting security in the Android ecosystem.
Android Security Modules with William Enck
Android, iOS, and Windows 8 are changing the application architecture of consumer operating systems. These new architectures required OS designers to rethink security and access control. While the new security architectures improve on traditional desktop and server OS designs, they lack sufficient protection semantics for different classes of OS customers (e.g., consumer, enterprise, and government). This presentation from William Enck, an assistant professor in the Department of Computer Science at NC State University, will motivate OS security extensibility in the Android OS.
Friday, May 1, 2015 – Device Security Update Presentations and Breakout Sessions
An Update on Android Security Updates with Jon Larimer
The Android Security Team has been doing extensive analysis of CTS and device data to understand which Android devices are updated and how often. Jon Larimer, a senior security engineer on the Android Security Team, will share his findings and suggest changes to the current patch management process that may improve the responsiveness of the Android ecosystem to security issues.
Let's Patch: An analysis on Android challenges in distributing open source patches on proprietary hardware with Patrick McCanna
PC’s get patches every month. Apple has been very efficient in creating and distributing security patches. The AOSP source is updated regularly. Why is Android patch distribution so delayed? Shouldn’t it be easy to distribute the AOSP source changes as updates to launched devices? Patrick McCanna of AT&T will illustrate the various challenges in distributing updates to the end user—insightful for anyone in the field of mobile security.
Xiaomi device OTA update for security patches with Juhu Nie and Yang Zhang
The device security update is one of the most critical steps to address security vulnerabilities in end-user devices. In this presentation, Xiaomi security researchers Juhu Nie and Yang Zhang share the findings and lessons learned from a real-world security update program involving Xiaomi and Qualcomm; introduce the Xiaomi device update mechanism and process; and share statistics on the scope and timeline of security-related device updates.
Breakout Session: Patching moderated by Arun Balakrishnan
Patching is an important component of securing software & devices. This session will focus on patching security vulnerabilities in the mobile ecosystem. It will build on last year’s Mobile Security Summit session and likely encompass:
- The state of patching in the mobile ecosystem
- Understanding the challenges & opportunities specific to mobile ecosystem
- Exploring steps to make patching more streamlined & ubiquitous
Breakout Session: Open Source and Security moderated by Renwei Ge and Neil Lofland
Use of open source code & libraries is ubiquitous in today’s projects. We have been seeing the impact of security vulnerabilities in popular open source libraries on product security. This session will likely deal with:
- The role of open source
- Initiatives to secure core libraries
- Approaches to working with open source community
That’s the recap. We look forward to seeing you at the Qualcomm Mobile Security Summit 2015, April 30 & May 1. To request an invitation, please contact firstname.lastname@example.org.
For a complete agenda and more details about the sessions and speakers click: