BSides Berlin

Doors open - Registration

Opening Words

Opening Keynote

Break

Sneaky Remap - Shared Object Cloaking with a Minimum of Fuss Stuart McMurray

This talk describes sneaky remap, a technique for hiding a loaded shared object file on Linux. It starts with the context surrounding shared object loading during operations on Linux Targets but the bulk of the talk revolves around sneaky remap's nuts and bolts.

Coffee Break

Weaponizing Image Scaling Against Production AI Systems Kikimora Morozova

AI vision systems see differently than humans do. When platforms downscale uploads to save compute, the mathematical properties of interpolation algorithms create exploitable artifacts. In this presentation, we'll show how to craft images which use invisible pixel perturbations to reveal malicious prompts after downscaling, triggering unauthorized tool execution across Google Gemini, Vertex AI, Google Assistant, and Genspark.

Beyond image downscaling, we’ll explore the broader attack surface, including audio transformations, dithering algorithms, and other preprocessing steps that become prompt injection vectors. You'll learn to fingerprint vulnerable systems using test patterns that reveal specific downscaling implementations across ML libraries. We'll demo Anamorpher, our open-source tool for automated attack generation, with both Python APIs and visual interfaces, as well as examine practical mitigations from displaying actual processed images to implementing design patterns resistant to prompt injection, such as the action selector pattern.

Break

A Deep Dive into Model Context Protocol (MCP) Security Anshu Gupta

As organizations rapidly adopt Large Language Models (LLMs) to power enterprise applications, ensuring the security of context-driven interactions has become a critical challenge. The Model Context Protocol (MCP) is emerging as a standardized framework that governs how models are prompted, contextualized, and integrated into real-world workflows. While MCP enables richer, more adaptive use cases, it also introduces new and complex attack surfaces that require deliberate security strategies.

This session provides a comprehensive exploration of MCP security, highlighting the unique risks and defenses associated with context-aware LLM deployments. We will examine threat vectors such as context injection, prompt leakage, chaining abuse, and data exfiltration through contextual inputs—issues that can compromise both system integrity and sensitive enterprise data. Participants will gain insight into adversarial use cases, including indirect prompt injection and model manipulation via context chaining, demonstrating how attackers can exploit seemingly benign contextual elements.

In addition to identifying risks, the session will provide a practical roadmap for hardening MCP implementations across diverse environments, from proprietary in-house systems to API-based LLMs like OpenAI, Anthropic, and Cohere. Core strategies include input validation, sandboxing, establishing contextual trust boundaries, and embedding audit logging into MCP workflows. We will also discuss the role of prompt hygiene, red teaming, and continuous monitoring to build resilience against evolving threats.

By the end of the session, attendees will have a clear understanding of MCP’s structure and components, practical techniques for securing LLM interactions, and recommendations for aligning MCP security with existing AppSec and SOC workflows..

Lunch Break

Linux Malware Packers and Loaders - A Comprehensive Analysis of Evasion Techniques and Detection Challenges Massimo Bertocchi

This presentation examines Linux malware packers and loaders as sophisticated evasion techniques that pose significant challenges to modern cybersecurity defenses. Malware packers compress, encrypt, and obfuscate executable code, while loaders execute the original malware directly in memory, enabling fileless execution that bypasses traditional detection mechanisms.

The research includes a case study of the Lazarus APT group's ThreatNeedle malware, demonstrating real-world implementation of multi-stage deployment with in-memory execution capabilities. A practical analysis of the hARMless ARM64 ELF packer/loader system illustrates key technical components including RC4 encryption, CRC32 integrity verification, and direct ARM64 syscall implementation. The presentation reveals critical security implications: traditional EDR solutions have significant detection gaps on Linux systems, static analysis proves insufficient against packed malware, and memory-based execution complicates forensic analysis. Defensive strategies require implementing syscall-level monitoring, deploying behavioral analysis capabilities, and maintaining comprehensive logging for effective threat detection and response.

Break

Inside Mythic: Dissecting a Modern Attack Framework Stephan Berger

Your mission, if you choose to accept it: take on the role of a detection engineer to dissect the most popular attack framework for attacks against macOS, Mythic.

Mythic has various agents that can be easily integrated into the framework. In this talk, we will show common features of the agents, including how C2 communication works, how persistences can be set up, and how additional code can be executed.

Our goal is to develop robust strategies for detecting these agents and to identify additional traces on the system that can be found by executing these agents on an infected computer.

For the red teamers, we will discuss OPSEC considerations that need to be taken into account when using specific commands to prevent immediate detection through an EDR.

Break

Accidental Backdoors: Supply Chain Stories That Could Happen to You Valeriy Shevchenko

Even well-defended companies can be compromised through their supply chain. In my bug bounty experience, I discovered cases where third-party contractors—without malicious intent—introduced vulnerabilities that completely bypassed strong internal security. Misconfigured integrations, unsecured development environments, and overlooked vendor practices became unexpected entry points.

This talk will share real-world stories of how unconventional approaches to vulnerability hunting uncovered hidden weaknesses in trusted partnerships. We’ll explore why organizations often fail to account for contractor security, and how those blind spots can lead to full system compromise.

Attendees will gain practical insights on recognizing supply chain risks, strengthening vendor oversight, and ensuring that external partners don’t become the weakest link in their security strategy.

Coffee Break

Talk to be confirmed

.

Break

Closing Keynote

AI for AppSec and Offensive Security: From Automation to Autonomy Patrick Ventuzelo

Artificial Intelligence is transforming the way we approach application security and offensive security — moving us from tool-based automation to the early stages of autonomous vulnerability research. From DARPA’s AIxCC challenge to emerging agent-based systems, AI is showing how fuzzing, auditing, and workflow orchestration can scale beyond what human teams alone can achieve.

This keynote will explore how AI is applied to code auditing, harness generation for fuzzing, and vulnerability triage, before introducing the new paradigm of multi-agent systems that act like a full red team. We’ll also examine the challenges of benchmarking and reproducibility in this space, and speculate on what comes next: specialized models, autonomous red teams, and community-driven marketplaces for sharing knowledge, agents, and workflows.

The offensive security engineer of tomorrow won’t just run tools — they’ll orchestrate a team of AI collaborators.

Closing Words