 We're looking at the side of my head looks like a weird purple. Does it show up the same way for you? Mute Awesome All right. Well, it is 12 9 30 so we can get started with the first Q&A of the day here at Defcon safe mode My name is P. Labri 9. I'm here with my fellow goon fallible a fallible greetings and We are also here with our first speaker of the day We are here with Feng Xiao who is going to answer your questions all about his presentation Discovering hidden properties to attack the node.js ecosystem. Hey fun. How's it going? Hi. Good. How are you guys doing great? It's awesome to have you here Watched your presentation. You did an incredible job with that highly recommend that people go check that out It's available on YouTube. Defcon has those videos up And you can also ask questions to fun on the discord channel at the track one live QA channel So yeah, we have a few questions that are coming in So we can ask him some of those questions Let's see Defcon presentations Okay, so before the safe mode talk, I only came to the Defcon once and that is my first time Satan talk is in 2018 so in that talk I Present some new vulnerabilities that I discussed in so the world in finding networks. Yes So this is actually my second time at Defcon That's fantastic, and we're really glad you decided to come back and join us again There was a somebody who was trying to ask if we were going to do first-time Rituals with you, but we don't have to because you're an old hat with this You've already done that so that's awesome Let's see we got some questions coming in yet like one of the questions that We were kind of wondering about with your research that you did on the node.js ecosystem is What type of people should use the tool that you released? I know you mentioned the tool in your presentation. Maybe you want to mention that a little bit and What kind of people should be using that sort of thing? Okay. Yeah, so so this is our research which is kind of a widespread of the problems and many Github report or a PM project has this problem So I believe that that's two kinds of people that they want to use this for the first kind of poor is But the first kind of people is about the developers I believe they can use this for to detect their own software and So that they can catch and discover all these hidden properties before they release a version and a second type of people that we think can use this tool is some white hat Pantasters or hackers when they want to do some security Analysts, maybe they can use these tools to detect some One really diesel problems we see in their pockets. Yes, excellent. All right So Yeah, for sure Let's say so also From one of the things that you mentioned in the presentation where you had this discovery in node.js You also reference Ruby on Rails and PHP So does it exist in those languages and platforms and could it exist possibly in others? Should people try to go find this same vulnerability in other platforms? Okay, thanks for the question. So Yes, so as you guys have already observed in my presentations So this is the root course for all the vulnerabilities mainly comes from the object sharing So if our language platform have such a feature or some applications that are using some kind of object sharing then they could be have a problem there But why we are using we are studying node.js here. It is because you use the language the object of flexibility is of JavaScript The object it can be really flexible. So these empowers that happens to propagate a lot of Bad things into the programs. So that's why we are studying node.js and we believe maybe there's other problems that are not discovered yet, but I think it is Really a good direction to also explore this in other languages as well. Yeah Excellent All right, checking for some more questions from the audience Here I'll check for questions. Why would you better see if you can get him get that video up just a little bit higher, too One thing I'm gonna turn my camera off and just see if that bumps him up Right exactly no one wants to see our faces So yeah Deadly Cobb wants to know when will the tool be released? He says or this person says they're only seeing a coming soon on the repo at the moment I would like to mention in the Q&A So for now as you guys may have all observed from the presentations there are several components in in my my talk in the course and Obviously from the perspective of user experience is not that well designed So you have to print a type in some comments to use it So what we are doing now is first We are cleaning up the project code and also we are Making documents for it. So probably the short answer is that we are going to Release it no later by the end of the August. Yes. Oh excellent. So that's great to hear Right See that okay, cool Let's say Who else Do we have on there that wants to ask questions of our first speaker? Okay, cool. Thanks. Thanks for the question and so So But for product and pollution in knowledge in JavaScript We are talking about some kind of attacks that tempers the prototype object Which is a special type of object in the JavaScript languages However, in our attack that is not our time date. For example in our attack We are copying and some user Are the application specific attributes or something else and also you can you may already See as you may already heard from my presentation We are have something that is closely related to prototype, but it's not about Modifying the product is that we are trying to For some attributes that can be found on the product and hijacked So yes, there's a big difference between the HPA and product evolution Excellent. Thanks for that question. Okay tucks. All right Let's see And I know sometimes when you give a presentation We know from experience that sometimes you have to kind of leave things out that you really want to focus on the main issues Was there any kind of like extra tips or extra things that if you? Had more time that you might have included anything else that maybe people can think about With regard to the vulnerabilities that you found or anything else that they can kind of think about around your research Yeah, so we do the time on train and we always have to Reboot final some very interesting thing from the park and to be honest We have I mean I have time I really want to Taste study every one of these we see the research because that's what people are they expecting and I think those probabilities are really Interesting so master is the first thing that I come up with when I want to add more good It is Excellent Is there anything that maybe other people who enjoyed your research could also kind of Dig in and take a look at and possibly look for as well So I know a lot of times people just want to kind of add on to research that they find and like that's really great stuff Maybe I can find the next thing with that when you're doing your research Did you have other ideas of things that maybe you didn't have time to look into and maybe other people would have time to kind of help out with Yeah, so Also, I think I can share with some ideas about oh yes, so for those years I found a lot of interesting Obligations for example, I found that there's a many applications are now deployed in the server that's program That's all I think that would be an interesting directions Yes, so this is kind of a new environments is Different from the traditional server environments, so and there's a lot a lot of Chateau JS program running the server that's program our platform So yeah, maybe that could be one interesting directions and maybe somebody have somebody here my Thoughts, maybe they can come up with some great ideas and presently in next year's outcome And I will be happy to see that Yeah That's excellent. All right Looking for more questions that people have for you here Settings here. Thank you everybody and especially Join us for this chaos of figuring out how to get the stream to work properly You're our first game pig, so and thank you everybody in the Stream chat telling us some suggestions of how to fix stuff like that We'll also go in see we can kill our discord notification is So phone you have any of the thoughts about They I know that you kind of hit this already But is there anything in the talk that you would have liked to include it But you didn't get a chance to to give to us in your presentation so far as all There's a lot of details right You know our research or our project actually I have been working on this project for almost about One year, so there's a lot of details and things I would like to add it to it Actually a good thing about that is we are releasing where we're going to release our code, right? so many people make can can know a lot of details about our research and Also, we we have a plan to release a white paper and I have been working on it for a while. So I see so If it is possible, I can also share my Twitter account so people so maybe people who are interested in this research can follow me Or we can I can also follow back so so and I will update the status of this work when When I read something you That's a good idea I'm sure there's a lot of people who'd be interested to know more about that and good work Well, we'll make sure that we get that out to anybody who wants to see it. Actually We'll probably post that in the track one channel So I'll get that in there while we keep chatting I see close to what you've been working on and close what you're in attitude next Is there it sounds like you're open for more people to come up with other thoughts and some other research directions for you I'm sure I would I would like to know and I'm sure some other folks would like to know as well Are you open for? Yes, I'm not sure exactly where I was trying to go on now and other than if people want to come to you and talk about this further you've given them at your Twitter There's a Well, let me step back. I'll I'll think of my question a little bit harder and come up with another one in the meantime you know Tell us more about the How you came upon this research? Oh, you mean how come and how do I discover all these things, right? Please Yeah, yeah, so So the process I discovered is one bit is kind of like things I'm enjoying eyeballing the source codes of Open source project to be stopped to discover one of these so when I take a look at some product Some of my targets. I kind of these are discovering some properties. That's kind of like Okay, well, I see I can I think that I can modify them, but but there's no document ADI documentation Many of them. So that's why I just try to improve those properties and Yes, I can I'll like those original values and do something bad So this is the weather beginning or our motivating cases of that So that's why we come up with our new tools and That's an interesting way. So It sounds like then you spend a certain amount of your time as You're doing whatever your day job is hunting around and finding ways that things are broken so can you give us a little bit more thought into some of the other folks who are coming up and working on that Their own projects How do you identify when you are finding something that would give you a death on top? How do you identify something that you'd like to pursue further? Okay, so thanks for the question. So I would say yeah, I have some thoughts about how can How to make a death on top or blackhead like that. So for me If I found that if I can find some result or some new findings, which I think first This can be used in some real world settings For example, if I found a word really that is exploitable in the production moment I will say yes, this could be some death tunnel or blackhead mode top and also If you really think this is a widespread or why do you see problems? maybe you should consider building something some force or some At least some screens so that you can so that people can use your course or use your things and Make all the process of discovering I like that so you starting small and you're Building out things that are potentially useful and then once you have Small things that you can start to release you start to build the community around that build additional motivation additional activity Yeah Yeah, I think also it's great to point out one of the points that phone just made When you start thinking about what is going to be good research and showing it around I know a lot of times people think like this is not really interesting to anybody else But me and it's not going to make a great talk anywhere And I know a lot of people have that kind of thought and I'm My experience has always been that there's definitely other people that want to hear your research And that you should definitely try to share that kind of information and research anywhere you can So that was a great point that phone was making up Giving to us there. There is also another question for you here that seems interesting from soft tortilla That wants to know can you elaborate on the expected difficulty of getting those 12 CVEs patched? Do you think there's going to be much difficulty with getting those fixed? Well, that's an interesting question. Yes, so for the vulnerability patching process I do have some words to share with you guys So, yes at very beginning I found that people are not Expelling those one reason is and then say they just think that okay, so this is things like some minor issues I don't want to catch it and But things goes very goes differently after all my research proceed So I found more and more and you see and and many people and industry Companies start to look at these problems and after things become in these ways same change for example there are some commercial Scanners starting to alert such vulnerabilities and some vendors who previously Define to patch those bugs have you mmm now because those Warranty scanners Starts to say something like well this has already is you cannot use those libraries So, yeah, so this is kind of like a process that nobody knows your research and you kind of like nobody But what and after you get it you are getting more results people are starting to look at it And they will say well this is really interesting and important problems and I want to patch it because it is also for many affecting our package usage Excellent yeah, and you also at the beginning of that Mentioned that sometimes people think like this isn't a big deal So I'm not going to bother patching it, but for people that might not have seen your presentation yet I believe that you were able to take user input bypass protections And were you able to show sequel injection? during your presentation in How far were you able to kind of in how critical were the vulnerabilities that you were able to kind of take this? take the Exploits that you were doing in your presentation like some of the Exploits that you are able to to do and how far were you able to take it? Yeah, so So the final Or final attack effects really depends on the type of those right, so for some for the taste study Presentations, we are taking some Web frameworks so we can build examples Okay, you see if we bypass this we will keep we will be bypass your Contractions, we can do something really bad some other modules Attacking fast seems Seems more way, which means people will say well It seems like some minor logic box, but It turns out that those minor logic box also can be a really big problem when They are being Excellent, let's say Fallible we were able to find any others in there if not I know that there's a couple of other questions, but I wanted to see if you had one that you pulled out So there are some more people talking people are asking more about something to your answer a little bit about Your how you found that target? I do have one other Slight sidetrack question says that you are a PhD student at Georgia Tech. Are you willing to tell us what your thesis is about? This is okay, so that's that is my worry. Okay, so I'm kind of I see myself as a kind of a hacker Which means whenever I find something interesting in I will try to have them So that's why previously I do some hacks in the software in finding at works Which gave people an impression that I'm working on that most security and now I'm Attacking the node. Yes, so people may think okay, so you are doing some web application security, right? Yeah, but Actually, I can tell you guys that my next goal may be in the hypervisor Which is so I'm going to work on look on something else at x86 virtualizations so I don't know what's going to be my business topics because traditionally people will have a unique or Unified topics for their business, but for me is more of about hacking and building course to detect those annoying issues. Yes So you're still trying to narrow down exactly what you want your thesis to be, huh? Yes, that's exciting What's the biggest surprise you came across doing this research? So there's a lot of moments that I think it really makes me happy. For example, the moment I find the vulnerabilities from much From some why do they use the program such as mobile TV for the house or something else? But that is some moments that make me really happy and also when I thought that When I found that my heart was accepted by that kind of that is also making me really excited. Yes What else do we have a lot of people in there chatting talking some good stuff for you here phone? Um How about one question is that for people who haven't really done vulnerability research? What's your advice on how somebody can pick a target? Your your research here is on no.js, but if somebody else wants to do vulnerability research How should they go about starting that and choosing a target for that? Yeah, so My experience or my suggestion is Yeah, I kind of like I can conclude the two kinds of vulnerabilities that people may want to take a look at So the first time the one really is is like something or talk is about some logic parts and people can find some ways to man exploit those vulnerabilities and Manipulate the program logic So that's one direction and the usually it is hard to So it is hard to using some so to Directly find those vulnerabilities without knowing the internal logic of the applications yes, and the second categories of vulnerability finding can be in the library So Because there's already some well-established concept and the If you find funding, you may also take a look at those passing things. So you may find some interesting results. And in fact, one really is everywhere, right? So if you use those costs, you can get some results. Excellent. All right. But it looks like we're coming down to the end here. This is flown right by. We only got a couple minutes left with you. So if anybody else has any questions that they want to get into, phone please. Put those on the Track One Live QA Discord channel. Yeah, are you doing good? The question I would finish up with would be, do you have a call-in action for those of us watching? Do you have something that just for research, you would like somebody else to look at this tangentially related to what you're working on? Or how would you point other folks who are interested in this subject towards more? You mean more in Node.js? Yes, more specifically related to the action shown. Yeah, so for Node.js, there are some related attacks that people may be interested in looking at. So I can list it here. So for example, prototype pollution, yes. So you may want to take a look at it. And after you're looking at that, you may find that there are some connections or some differences between this and our talk. And after prototype pollution, you may also want to take a look at some well-known denial of service attacks in Node.js. Denying of service attack is really a big issue for Node.js due to the single-thread event handling model. Yes, so if you search keywords like EOS, Node.js, you can find a lot of useful results about how people attack the Node.js application. So that's kind of two research that I would like to mention here. I appreciate that. Thank you. So I really appreciate your willingness to come and, first off, give a presentation here at DefCon. This is one of those community events that only happens because of the people like yourself who come out and do the research and do the presentation. So thank you very much. And thank you for being any big on our QA streaming here. If anybody has any additional questions, we can continue to attempt to get those over or I would recommend looking at the Twitter account that I did link in the Track 1 channel. Otherwise, we will go ahead and wrap this up. Thank you everyone for had suggestions and considerations here. And we'll go ahead and sign off. So thank you all. Big wave. Thanks, Phil. Thank you.