CSIT x DEF CON

What to expect at DEF CON SG

DEF CON SG will feature all the key elements of the inspiring DEF CON experience, including conferences, hands-on Villages and Capture-the-Flag (CTF) competitions.

Find us at C517: CSIT's Village dedicated to cyber enthusiasts

TISC@DEF CON SG - Capture The Flag

TISC@DEF CON SG is a special edition of the annual CTF competition organised by CSIT, designed to uncover the best Singaporean CTF talents at DEF CON SG. It provides opportunities for Singaporeans to put their cybersecurity and programming skills to the test by solving challenging puzzles against the clock.

TISC@DEF CON SG is an individual competition. Participants are required to complete a variety of challenges across different domains including, but not limited to Forensics, IoT, Pwn, Reverse Engineering and Web.

TISC@DEF CON SG comprises two stages: online qualifiers and on-site finals, in a jeopardy-style CTF format.

Find out more about TISC@DEF CON SG here.

C517 Village Talks - 28 Apr

Exploiting The Invisible

Programme is subject to changes without prior notice.

During this session, we will share simulated water testbed, and the attacks that can work on it. 

Reverse engineering (RE) is time consuming and resource intensive.  With recent advances in AI agents and large language models (LLMs), we share our journey in applying these technologies to accelerate the malware RE process.

Critical vulnerabilities like CVE-2025-52691 remind us that “low-hanging fruit” still exists today. This session deconstructs how simple, overlooked design flaws can be weaponised for catastrophic impact. We will also share practical insights on how to mitigate these threats, with strategies that can be implemented at different levels.

The InfoSecurity Challenge (TISC) is one of Singapore's most anticipated Capture-the-Flag competition (CTF), hosted annually by CSIT. Join one of the challenge creators as he shares his creation process and learn what goes on behind-the-scenes.

As AI accelerates development and increases system complexity, robust defence-in-depth and deep technical expertise are becoming increasingly critical for defenders. This talk highlights that effective security requires going beyond severity ratings to truly understanding threats and to prioritise real-world exploitability.

Grammar-based fuzzing made painless! This talk highlights how the generation of grammar files for browser WebAPIs can be automated and visualised with the help of a network graph.

This talk breaks down the discovery of CVE-2025-52692, a zero-day vulnerability in the widely used Linksys E9450 SG router.  We will show how a simple string comparison flaw allowed a complete authentication bypass, eventually gaining full root access with a single HTTP request.

You click on a link. A download prompt appears. Your mouse suddenly seems to take on a life of its own and clicks the pop-up. Before you know it, your Windows machine belongs to me.

This session breaks down an amusing and far-fetched (yet entirely technical) exploit chain, starting from the highly restrictive Chromium renderer process and escalating to kernel-level privileges by chaining and abusing three vulnerabilities: CVE-2024-5274, CVE-2024-11114, and CVE-2025-29824. I will be sharing my learnings, laughs and grief while venturing into V8, Mojo, CLFS and everything in between (i.e. Ubercage, kCFG) while attempting to make this work.

C517 Village Talks - 29 Apr

Security Breaks at the Edges of Trust

Programme is subject to changes without prior notice.

What does an air-gapped system really mean in practice? This talk introduces the basics of air gap systems and data diode, then explores how real world requirements shape systems design and what that means for security.

This presentation expands on prior research into CVE-2024-27304 through a proof-of-concept walkthrough of SQL injection at the protocol level. It clarifies exploitation conditions, details the exploit steps, and demonstrates the vulnerability through custom exploit code targeting a Harbor deployment.

Using the rubber ducky to deploy a large payload in an air-gapped environment is no easy feat. This talk introduces a way of leveraging USB descriptors to store large payload in the Windows Registry and retrieving it through keystroke injection.

An insecure JavaScript bridge (JSB) in Android WebView allows attackers to abuse exposed interfaces to read local files and steal session cookies, leading to full account takeover via malicious deep links and JavaScript injected into the Android WebView context. During this session, we will dive into the details.

During this session, we will share an automated end-to-end AI workflow to perform digital analysis on Windows images with capabilities of fully on-premise investigation.

In stripped binaries, malware analysts often struggle in a sea of raw offsets and pointer arithmetic.  We share our journey of data structure reconstruction with AETHER.

Compilers generate all our code, but they don’t get it right all the time. In this talk, we’ll introduce how compilers can affect software security in general, before going deep into a V8 optimization n-day from the perspective of a vulnerability researcher.

This session re-examines physical security assumptions in Cyber Defence structures.

A thought experiment on Rolling API Tokens, leveraging the Double Ratchet Protocol to eliminate long-lived secrets through continuous key rotation.

C517 Village Talks - 30 Apr

Find What They Ignore

Programme is subject to changes without prior notice.