Cyber Defense Institute Engineers to Present at "BSides Las Vegas"

Our engineer Hiroki Matsukuma will be presenting at **"BSides Las Vegas 2025," an international security conference held in Las Vegas, USA from August 4-6, 2025. BSides Las Vegas is known as a technical community event where security researchers and practitioners from around the world converge, and this year's program is set to feature an enriched lineup that includes "Skytalks."

Presentation Title: "Unawakened Wakeup: A Novel PHP Object Injection Technique to Bypass \_\_wakeup()"

Some PHP libraries implement a `__wakeup()` method that throws an exception on classes which could be used as Property-oriented Programming (POP) gadgets, thereby preventing PHP object injection and effectively disabling those classes altogether. Traditional bypass techniques have exploited interpreter bugs, but these are quickly addressed through patches.

This talk introduces a novel bypass technique based on the Arbitrary Object Instantiation (AOI) primitive. Because it instantiates dynamic classes outside of `unserialize()` processing, `__wakeup()` is never triggered. The only prerequisite for this technique is the existence of a POP gadget that executes `new $className(...)`.

Since this technique relies solely on core language specification behavior, it is unlikely to be fixed by future patches. The demonstration will revive a deprecated PHPGGC Guzzle/RCE1 chain and achieve remote code execution on a default installation of Neos Flow.

Presenter: Hiroki Matsukuma, Tech Lead, Reverse Engineering Group Cyber Defense Institute, Inc.

Hiroki Matsukuma serves as Tech Lead in the Reverse Engineering Group of the Technical Division at Cyber Defense Institute, Inc., where he is involved in management and proposal activities. Since joining the company as a new graduate in 2015, he has expanded his expertise across web application vulnerability assessments, network penetration testing, and embedded device/IoT security assessments.

In penetration testing in particular, he acts as the team's †initial access broker,† pursuing target infiltration driven by curiosity, while also contributing to society by reporting newly discovered vulnerabilities to IPA and vendors. He actively gives back to the security community through presentations at events, with speaking credits including m0leCon, Security.Tokyo, AVTOKYO, and CODE BLUE (U-24).

Cyber Defense Institute will continue to work with law enforcement agencies and private sector organizations worldwide to combat increasingly sophisticated, malicious, and globalized cybercrime, contributing to the improvement of security in cyberspace.