From August 5th to 12nd 2024, I attended Black Hat USA 2024 (and Defcon 32) in Las Vegas. I presented my research on Bypassing MTE with a side-channel attack. I returned to Korea this morning (luckily, no jet lag) and am writing this post to share my experiences from Las Vegas before I forget them.

Black Hat USA 2024

First Black Hat experience

I’ve never been to Black Hat before, so I was very excited, especially since I was going to present for the first time in an international conference. There were lots of people, great talks, and free food and drinks 💙. Some gifts were also given: a Black Hat backpack, which I found very practical and useful, a tumblr with a straw, and a badge.

I also attended the speaker VIP party prior to the conference, where I had the chance to meet many researchers and security experts in person. It was so exciting to meet professionals I’ve only seen in papers.

For the sake of networking, I did try to connect with others, and I think it was quite successful. Since English is not my first language, it’s always challenging to communicate at such parties, but I was fairly able to communicate with others (shoutout to all my online English tutors!). However, I still feel like I need to expand my vocabulary to express my thoughts more clearly.

Regarding the venue, it was huge, so I had to walk a lot. I was exhausted every day because I only brought shoes with hard soles. I should have brought more comfortable shoes for walking. The business hall had many company booths where I could get free t-shirts and other company swags. I wanted to visit more booths but couldn’t being busy with my talk and other things.

Despite the venue’s size, the briefing sessions weren’t as crowded as I expected. I’ve heard that the briefings were usually packed (about 10 years ago), but the session halls had plenty of empty seats. I only saw people lining up once, for the “15 ways to Break your Copilot” talk (does everyone want to break Copilot?). But most talks weren’t even half full.

Among the 5-6 talks I attended, some were really interesting and tackled the specific subjects I’m working on at the moment. It assured me that I was doing relevant research, but it also made me think I need to push our projects harder to complete them before someone else does 😵‍💫.

I found LLM security talk by Richard Harang (Nvidia) very fascinating. Not only was the content excellent, but the way he presented was also very engaging.

My talk

As a first-time speaker, I was quite nervous about my talk, especially since Black Hat is a non-academic conference with a large and diverse audience. Before the conference, my advisor and I had many discussions about the content and visuals to make it easy to follow for the general audience. We also had multiple rounds of rehearsals.

At the conference, before my talk, I had a scheduled interview with Dark Reading. I expected it to be a simple, brief session that would be published as an article later. But it turned out to be a news desk-style live interview with a camera crew! I was so nervous because I didn’t expect it to be live, and I hadn’t prepared for that at all. It was the most overwhelming experience I had on this trip. Well, I think I did my best, staying calm and answering the questions somehow… 😅

On the day of the presentation, I felt quite confident–maybe because I had practiced a lot and had already gone through the anxiety of the live interview. I was also kind of tired of being nervous since my talk was scheduled at the afternoon of the last day. So I thought, “I don’t care anymore. I just want to finish this.”

The talk went successful. I think I even enjoyed the feeling of being on stage and having the audience’s attention (?!). The audience seemed engaged in my talk (no one appeared to be dozing off or leaving the hall). Some gave me positive feedback afterward, which I greatly appreciated and made me feel all the effort was worth it. I received many questions as well and was genuinely happy to see that my research was interesting to many people.

Overall, I really enjoyed presenting at Black Hat USA and highly recommend it. I loved the feeling of being on stage and all the speaker privileges from BlackHat. I definitely want to present at Black Hat again!

Other experiences

A few other things I did during the trip.

Google 0x0g party

During this trip, I attended the Google 0x0g party (Google Vulnerability Reward Program party). It was my first time attending such an event, and there were so many security engineers from Google and various companies. The party featured programs with talks and events, but it was mainly about networking and socializing. I got to meet people around the industry, and overall, it was a great experience.

Since I had given my talk about bypassing MTE the day before, I had some conversations about it. Opinions on MTE were quite divided across the industry, even within Google. Some were very positive about MTE, while others are quite negative, with some suggesting that MTE could be deprecated (?). This was interesting to me because, in academia, particularly in systems security, MTE is generally considered as a promising direction for future security, as long as the cost is not too high. The cost is indeed a significant issue, but the Pixel 8 series has demonstrated that MTE’s performance overhead is negligible. I also have a paper under review that leverages MTE for attack mitigation. Unfortunately, it has gone through the review process at top-tier security conferences about 4-5 times, but no reviewer raised concerns about the feasibility of MTE as a defense so far.

Another interesting thing I picked up, not only from this party but also from other people I’ve met in the past, is that high-end IOT device manufacturers are generally more positive about MTE. I’ve heard that Amazon is considering MTE for their future devices, and I also learned at this event that Meta is considering MTE for future Oculus devices. I wonder if this is because they are less concerned about the performance or other costs? In any case, it seems our researches on MTE is still highly relevant to the industry, and I’m excited to see how it will be adopted in the future.

Defcon 2024

Defcon felt a lot less organized than BlackHat. As a non-CTF player, I didn’t find much to do at Defcon. I mostly wandered around some of the villages and attended a talk about bypassing Copilot (again, by a different speaker). Then I spent some time at the Car Hacking Village, where my advisor was participating in the CTF 😄. I just watched him play and worked on my own stuff. By that point, I didn’t have much social energy left, so I tried to focus on getting back to my research.

I also attended the AIxCC closing ceremony, where the winners of the AIxCC competition were announced. I heard the competition was quite intense, with participants dedicating a lot of time and resources. I was happy to see few teams I know win the competition and move on to the final round. I really wanted to see AI beat previous techniques like fuzzing and symbolic execution, but I think we’re not there yet. Would love to see more progress in this area!

Hotels & Pools

I stayed at Mandalay Bay during Black Hat, and Fontainebleau during Defcon. Both hotels were great, close to each conference venue, and had nice pools.

Mandalay Bay was a classic hotel with a spacious room. It was a bit old-fashioned, but the room was clean and comfortable. The hotel was huge, and I had to walk a lot to get to the conference venue. I think I didn’t had enough time to explore the hotel during Black Hat, but I did enjoy their pool before checking out.

Mandalay’s pool was really nice. On Friday, before we checked out, we went to the pool, and surprisingly, there weren’t many people. With various pools–wave pool, lazy river, and regular pool–it was fun to hop around and enjoy the sun. Compared to wave pools in Korea, Mandalay’s had smaller waves, but they allowed people to swim in the deeper areas. While this seemed a bit dangerous for kids and non-swimmers, I actually had fun swimming in the pool where my feet couldn’t touch the ground.

We wanted to visit Mandalay Bay’s pool again after checking out, so we returned on Monday morning, paying $25 for per person for a pool pass 😂. However, Monday was much more crowded, and I couldn’t enjoy the pool as much as I did on Friday. Maybe it was because the price was cheaper on Monday, or perhaps because Black Hat has ended and many people were staying at the hotel for vacation. Still, I enjoyed the pool and got a bit of tan 😎.

Fontainebleau was much more luxurious than Mandalay Bay. I had seen some reviews mentioning that the rooms weren’t always well-cleaned, but our room was okay–maybe not perfect, but acceptable. The room was a bit smaller than at Mandalay Bay, but the facilities were much newer and cleaner. They even had USB-C ports on the wall!

Fontainebleau’s pool was also nice. Although they didn’t have a variety of pools like Mandalay Bay, the pool was clean and not too crowded. They also offered free parasols for sunbeds! I had a great time swimming and relaxing at the pool.

Despite its expensive image, some restaurants at Fontainebleau were good and reasonably priced, considering the usual costs in Las Vegas. Our favorite was a Hong Kong-style restaurant called “Washing Potato”. We had lunch there twice to enjoy dim sum and noodles 😋.

Casinos

I thought I wouldn’t be a fan of casinos, but I actually liked playing the games. I played blackjack and roulette, mostly at Fontainebleau, and ended up broke 😂. I realized that I’m not good at gambling because I’m too optimistic, which is great for research but not for gambling. In games like these, it’s obvious that you’ll lose in the long run, but I kept thinking I could win. Perhaps I should learn how to play poker instead (?!). Maybe next time! 😄

Conclusion

I had a nice time in Las Vegas, although at times the place felt a bit too crazy for me. I loved my experience at Black Hat USA. I enjoyed presenting my research, meeting people, and learning about the latest security trends in research and industry. It definitely motivated me to work harder on my research and return to Las Vegas as a speaker again!