Fuzzing For Worms 16/06/2018. Fuzzing For Worms. AFL for Linux Network Servers
|
|
- Tamsyn Wilkinson
- 5 years ago
- Views:
Transcription
1 1 AFL for Linux Network Servers 16/6/218 Fuzzing For Worms.
2 About Me /6/218 SSL/TLS Recommendations // OWASP Switzerland 213 Dobin Rutishauser 2 BurpSentinel - Semi Automated Web Scanner // BSides Vienna Automated WAF Testing and XSS Detection 4 Lecturer Exploit Development & Mitigations // OWASP Switzerland 215, Barcamp // Berner Fachhochschule, 216, 217, 218
3 FFW 3 What we have 1 File Based Fuzzer What I want 2 Network Fuzzer Demo 3 Praise the Demo gods! Feedback Driven Fuzzing 4 Honggfuzz Results 5 days? 8/1/216
4 AFL cd ~/binutils-2.25 CC=afl-gcc./configure make mkdir afl_in afl_out cp /bin/ps afl_in/ afl-fuzz -i afl_in -o afl_out./binutils/readelf -a 4 16/6/218
5 AFL 5 16/6/218
6 6 Everything already fuzzed :-( 16/6/218
7 Why no fuzzing network servers? 7 16/6/218
8 Fuzzing Network Servers: ISO OSI Layer 8 16/6/218
9 Fuzzing Network Servers: MQTT Protocol 9 16/6/218
10 Fuzzing Network Servers: MQTT Protocol 1 CONNECT 2 3 SUBSCRIBE <channel> PUBLISH <channel> <msg> 1 16/6/218
11 Fuzzing Network Servers - Using File based Fuzzers 11 16/6/218 Using AFL to fuzz a MQTT server? Method 1: Wrap Method 2: Rewire Wrap packet-parsing Re-wire read(), write() function to read from files
12 Fuzzing Network Servers - Wrap Method 1: Wrap Isolate main functionality Write a wrapper // Libfuzzer // AFL Persistent Mode // WinAFL 12 16/6/218
13 Fuzzing Network Servers - Re-Wiring Program 13 16/6/218 Method 2: Re-wire Re-wire read(), write() read() 4 Socket to read from files (not from sockets)
14 Fuzzing Network Servers - Re-Wiring Program 14 16/6/218 Method 2: Re-wire Re-wire read(), write() read() 1 File to read from files (not from sockets) // AFL Style Fuzz // Preeny desock
15 Fuzzing Mongoose MQTT with AFL Case Study: Mongoose 6.8 CSNC // Manual Re-Wire for de-socking Fuzz with AFL Stack BOF RCE Exploit 15 16/6/218
16 Fuzzing Network Servers: AFL 16 16/6/218 File Based Fuzzer Problems What are packets? // CONNECT read() Target write() read() write() read() write() SUBSCRIBE PUBLISH Mutate File
17 Fuzzing Network Servers: AFL 17 16/6/218 File Based Fuzzer Problems What are packets? // CONNECT read() Target write() read() write() read() write() SUBSCRIBE PUBLISH Mutate File
18 Generators 18 A better way? Generational Fuzzers Protocol Specifications // Reproduce protocol in code as XML Specify every field, datatype, etc. 16/6/218
19 Generators Generators: Peachfuzz (XML Pits ) Spike -> Sulley -> Boofuzz (python specs) Blab Dharma Protocol Learning: Netzob (UI) Pulsar (AI) 19 16/6/218
20 Network Protocols 2 Stateless Stateful DNS, DHCP, HTTP, COAP MQTT, VNC, Teamspeak Ignore reply Responses important Packets are independant Packets dependant Use AFL Use Peach 26/6/218
21 21 I dont want to patch I dont want to XML protocols i want to fuzz! 16/6/218
22 FFW Phases 1 Intercept Replay Data Detect Crash Capture Fuzz some data Check if server is Network Data and send stil alive 16/6/218? $ 4 5??? Profit!
23 Demo 23 FFW Basic Mongoose 6.8 Demo Praise the Demo Gods 16/6/218
24 24 16/6/218 FFW Internals
25 Architecture 25 16/6/218 Interceptor Fuzzer Verifier Minimizer MITM to capture network messages Send mutated messages Re-send messages which crash server Find unique crashes Test Uploader identify failures when sending capture Upload all data to teh cloud
26 Interceptor 26 16/6/218 FFW Hello 1: cli Hello there! 2: srv Client Server Subscribe 3: cli Sure 4: srv 1: 2: 3: 4: cli: srv: cli: srv: data: data: data: data: Hello Hello there! Subscribe Sure
27 Fuzzer 27 16/6/218 FFW 1: cli 2: srv Server 3: cli 4: srv Corpus 1: 2: 3: 4: cli: srv: cli: srv: data: data: data: data: Hello Hello there! Subscribe%../../ Sure
28 Mutator: Radamsa 28 16/6/218
29 Crash Detection: TCP Connection Disconnect 29 26/6/218 TCP Handshake Crashed by Previous Input Pre-Mutated Packet FFW Mutated Packet Post-Mutated Packet Server Crashed by Current Input
30 Crash Details Crash Details: Stack Trace /6/218 PTRACE // Bad, Unreliable ASAN // Non-Stack BoF only GDB // Need Parser...
31 31 Fuzzing Hardware What I have // Xeon E5 267 (from 212) 2mb Cache! 8 cores, 16 threads! 32 GB RAM! 2.6ghz! x2! rawr! 777$, natex.us 16/6/218
32 32 16/6/218
33 Fuzzing Hardware What I really need // 33 16/6/218
34 34 16/6/218 Puppet Master - Sentient Hacking AI, created by Intelligence Unit Section 6 (Ghost in the Shell, 1995)
35 35 Feedback Driven Fuzzing 16/6/218
36 Feedback Driven Fuzzing - Function Level 36 16/6/218 Fuzzer Corpus: 1. X Function X Function 1 Function A Function Y Function 2 Function B Function
37 Feedback Driven Fuzzing - Function Level 37 16/6/218 Fuzzer Corpus: 1. X 2. X2 Function X Function 1 Function A Function Y Function 2 Function B Function
38 Feedback Driven Fuzzing - Function Level 38 16/6/218 Fuzzer Corpus: 1. X 2. X2 3. X2A Function X Function 1 Function A Function Y Function 2 Function B Function
39 Feedback Driven Fuzzing - Function Level 39 16/6/218 Fuzzer Corpus: 1. X 2. X2 3. X2A 4. X2B Function X Function 1 Function A Function Y Function 2 Function B Function
40 Feedback Driven Fuzzing - Basic Block Level 4 16/6/218
41 Fix all the bugs American Fuzzy Lop and Address Sanitizer, Hanno Böck 41 16/6/218
42 Feedback Driven Fuzzing - Basic Block Level - Bloom Filter 42 16/6/218 if input[] == x41 if input[1] == x42 if input[2] == x43 if input[3] == x44 CRASH 1
43 Feedback Driven Fuzzing - Basic Block Level Compiler Inserts 43 16/6/218 At each basic block, add: cur_location = (block_address >> 4) ^ (block_address << 8); shared_mem[cur_location ^ prev_location]++; prev_location = cur_location >> 1;
44 Feedback Driven Fuzzing - Basic Block Level - Bloom Filter 44 16/6/218 if input[] == x41 if input[1] == x42 if input[2] == x43 if input[3] == x44 CRASH 1 1
45 Feedback Driven Fuzzing - Basic Block Level - Bloom Filter 45 16/6/218 if input[] == x41 if input[1] == x42 if input[2] == x43 if input[3] == x44 CRASH
46 Feedback Driven Fuzzing - Code Coverage 46 16/6/218 Picture Source: Circumventing Fuzzing Roadblocks with Compiler Transformations, lafintel
47 Feedback Driven Fuzzing - Basic Block Level Efficency in AFL 47 16/6/218
48 Feedback Driven Fuzzing - Methods 48 16/6/218
49 Feedback Driven Fuzzing - How-to 49 16/6/218
50 Integrating Honggfuzz in FFW 5 16/6/218 Network TCP/UDP FFW Target Unix Domain Socket HonggFuzz observe
51 Integrating Honggfuzz in FFW 51 16/6/218 Fuzz Send the fuzz (TCP) Target FFW Okay (i m done sending) New! (new BB reached) Corpus Cras (target crashed) observe HonggFuzz
52 Demo 52 FFW Mongoose 6.9 Feedback driven fuzzing with honggfuzz Demo Praise the Demo Gods 16/6/218
53 53 16/6/218 Performa nce
54 Fuzzing Performance About 3 iterations/s per thread :-( AFL: Threads = core_count / 2 FFW: Threads = core_count * 2 3 iterations/s * 32 * 2 =~ 2 (okish) 54 16/6/218
55 Fuzzing Speed Requirements 55 16/6/218 Parallel fuzzing -> parallel processes -listen %(port) Port directly as Argument -config srvcfg-%(port).conf usenetnamespace: True Port via Config File Namespaces! yay!
56 Fuzzing Speed Requirements: Parallelization 56 16/6/218 Network Namespace 1 FFW Slave Process 1 Honggfuzz FFW Slave Process 2 Honggfuzz Target Server Port: 1337 FFW Master Process Network Namespace 2 Target Server Port: 1337
57 57 Fuzzing Results 16/6/218
58 Bugs: Mongoose MQTT 6.8 Mongoose MQTT 6.9 libcoap libiec6185 vnc4server libmodbus Check docker dobin/ffw:.2 58 No Bugs: Mongoose Web Mongoose DNS Mongoose DHCP Synergy Ngircd Inspircd unrealircd portmapper 16/6/218
59 Inspircd 59 16/6/218
60 Ngircd 6 16/6/218
61 61 16/6/218 Conclusion
62 FFW 1 INTERCEPT 2 3 RETRANSMIT (fuzzed) DETECT Crashes New Basic Blocks 62 16/6/218
63 Motivation Swat low hanging bugs Use time before real fuzzing Quick-Check of a server 63 26/6/218
64 64 16/6/218
65 65 Code: github.com/dobin/ffw Me: twitter.com/dobinrutis Blog: dobin.ch/blog/tag/ffw days: github.com/dobin/ffw-docker 16/6/218 Reddit: reddit.com/r/fuzzing Get started: docker run -ti --privileged -lxc-conf="aa_profile=unconfined" dobin/ffw:.2
66 66 Q&A 16/6/218
67 Not in this presentation: Taint Tracking / Analysis SMT Solvers Automated root cause identification Automated exploit generation Automated patch generation Machine Learning / AI Kernel Fuzzing Syscall Fuzzing Instruction-Set Fuzzer Structure-aware fuzzing Anti-Fuzzing Binary Instrumentation (Intel PIN, DynamoRio) Blockchain (Smart Contracts / Ethereum) Symbolic Execution / Concolic Execution (Angr, Manticore) Compiler Transformations / Deoptimization 67 16/6/218
68 Similar solutions 68 16/6/218
69 69 Future 16/6/218
70 Future: Weighting Fitness: Fuzz which damn input? [] Input Corpus 7 1 # Crashes 2 # Hangs 3 # Children 4 Latency [] Corpus Network Message 26/6/218
71 Future: Genetic mutations 71 Generic Mutation Algorithmn 1 Per InputCorpus 2 26/6/218 Crossover (copy partially to other network messages) Mutation (re-order network messages) 3 Swap (swap messages)
72 Future Crash Analysis Code Coverage in IDE Adjust network timeout dynamically Client program fuzzing 72 26/6/218
73 73 16/6/218
74 74 The reason for all this: C C++ 16/6/218
75 Feedback Driven Fuzzing - Performance Comparison 75 16/6/218
Copyright 2015 MathEmbedded Ltd.r. Finding security vulnerabilities by fuzzing and dynamic code analysis
Finding security vulnerabilities by fuzzing and dynamic code analysis Security Vulnerabilities Top code security vulnerabilities don t change much: Security Vulnerabilities Top code security vulnerabilities
More informationFuzzing techniques & software vulnerabilities
Xavier Claude Mathieu Fourcroy William Robinet Conostix S.A. 17th October 2016 Agenda 1 2 3 4 Definition Definition Origins Context Why fuzzing? Fuzzing techniques Definition Automated testing technique
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationSoftware security, secure programming
Software security, secure programming Fuzzing and Dynamic Analysis Master on Cybersecurity Master MoSiG Academic Year 2017-2018 Outline Fuzzing (or how to cheaply produce useful program inputs) A concrete
More informationForeword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1
Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic... 11 Chapter 3: Network
More informationFuzzing. compass-security.com 1
Fuzzing compass-security.com 1 Fuzzing Finding bugs by bombarding target with nonconform data Think: Flip a few bits in a PDF, then start Acrobat with that PDF Just more automated Steps: Create input corpus
More informationCS155: Computer Security Spring Project #1
CS155: Computer Security Spring 2018 Project #1 Due: Part 1: Thursday, April 12-11:59pm, Parts 2 and 3: Thursday, April 19-11:59pm. The goal of this assignment is to gain hands-on experience finding vulnerabilities
More informationKLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND
Feeding the Fuzzers with KLEE Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND This presentation was created with help and commitment of the Samsung R&D Poland Mobile Security team. KLEE and
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationThe Fuzzing Project https://fuzzing-project.org/
The Fuzzing Project https://fuzzing-project.org/ Hanno Böck 1 / 18 Motivation Motivation Fuzzing C Memory Bugs Invalid memory access example Do you use tools like strings, less, file, convert, ldd, unzip,...?
More informationAdvanced Custom Network Protocol Fuzzing. Joshua Pereyda Tim Clemans
Advanced Custom Network Protocol Fuzzing Joshua Pereyda Tim Clemans Outline Lecture: Intro Lecture: Basic Techniques with boofuzz Exercise 1 Target Practice Lecture: More Techniques Exercise 2 Target Practice
More informationBuilding Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationWriting a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs
Writing a fuzzer for any language with american fuzzy lop Ariel Zelivansky @ Twistlock Labs What is fuzzing? Technique for testing software by providing it with random, unexpected or invalid input Dumb
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 16: Building Secure Software Department of Computer Science and Engineering University at Buffalo 1 Review A large number of software vulnerabilities various
More informationSoftware Security IV: Fuzzing
1 Software Security IV: Fuzzing Chengyu Song Slides modified from Dawn Song 2 Administrivia Homework1 Due: Friday Oct 27 11:59pm Questions regarding reading materials Talk Security R&D in a Security Company:
More informationGeneral Pr0ken File System
General Pr0ken File System Hacking IBM s GPFS Felix Wilhelm & Florian Grunow 11/2/2015 GPFS Felix Wilhelm && Florian Grunow #2 Agenda Technology Overview Digging in the Guts of GPFS Remote View Getting
More informationFuzzing proprietary SCADA protocols
Fuzzing proprietary SCADA protocols Sergey Bratus Black Hat 2008 INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Cyber Security and Trust Research & Development http:// Fuzzing SCADA Ganesh Devarajan (TippingPoint)
More informationHigh Performance Fuzzing
High Performance Fuzzing Richard Johnson Hushcon 2015 Introduction Whoami Richard Johnson / @richinseattle Research Manager, Vulnerability Development Cisco, Talos Security Intelligence and Research Group
More informationRootless Containers with runc. Aleksa Sarai Software Engineer
Rootless Containers with runc Aleksa Sarai Software Engineer asarai@suse.de Who am I? Software Engineer at SUSE. Student at University of Sydney. Physics and Computer Science. Maintainer of runc. Long-time
More informationRemote Exploit. compass-security.com 1
Remote Exploit compass-security.com 1 Content Intel Architecture Memory Layout C Arrays Buffer Overflow BoF Exploit Assembler Shellcode Function Calls Debugging Remote Exploit Exploit Mitigations Defeat
More informationSmarter fuzzing using sound and precise static analyzers
Smarter fuzzing using sound and precise static analyzers Pascal Cuoq, Chief Scientist, TrustInSoft January 31, 2017 Pascal Cuoq, Chief Scientist, TrustInSoft smarter fuzzing January 31, 2017 1 / 8 Introduction
More informationFramework for Application Security Testing. September 11th, 2018
Framework for Application Security Testing September 11th, 2018 Create thousands of security tests from existing functional tests automatically Wallarm FAST enables secure CI / CD Wallarm FAST has many
More informationSoftware Vulnerability
Software Vulnerability Refers to a weakness in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the
More informationAutomatizing vulnerability research
Innova&on & Research Symposium Cisco and Ecole Polytechnique 8-9 April 2018 CEDRIC TESSIER INSTRUMENTATION TEAM LEADER / ctessier@quarkslab.com Automatizing vulnerability research to better face new software
More informationAgenda. Introduction Why are we fuzzing? Types of existing fuzzers Fuzzing, process Adoption Risks Fuzzing costs Pulling it all together
Michael Eddington Agenda Introduction Why are we fuzzing? Types of existing fuzzers Fuzzing, process Adoption Risks Fuzzing costs Pulling it all together Why are we fuzzing? ROI^2! All about the bugs!
More informationHow to implement SDL and don t turn gray. Andrey Kovalev, Security Engineer
How to implement SDL and don t turn gray Andrey Kovalev, Security Engineer Agenda SDL 101 Yandex approach SAST, DAST, FSR: drawbacks and solutions Summary 3 How to implement SDL and don t turn gray SDL
More informationWeb Application Security Payloads. Andrés Riancho SecTor 2010, Toronto, Canada.
Web Application Security Payloads Andrés Riancho SecTor 2010, Toronto, Canada. andres@rapid7.com$ whoami Director of Web Security @ Rapid7 Founder @ Bonsai Information Security Developer (python!) Open
More informationTest Automation. 20 December 2017
Test Automation 20 December 2017 The problem of test automation Testing has repetitive components, so automation is justified The problem is cost-benefit evaluation of automation [Kaner] Time for: test
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 19 SDLC: Secure Development Lifecycle Defining Security Security is not a functionality feature Most of computer science is about providing
More informationRabbit in the Loop. A primer on feedback directed fuzzing using American Fuzzy Lop. by Kevin Läufer
Rabbit in the Loop A primer on feedback directed fuzzing using American Fuzzy Lop Abstract by Kevin Läufer This guide aims to provide the reader with a good intuition about the
More informationVirtualizing IoT with Code Coverage Guided Fuzzing
Virtualizing IoT with Code Coverage Guided Fuzzing HITB2018DXB, November 2018 NGUYEN Anh Quynh, aquynh -at- gmail.com KaiJern LAU, kj -at- theshepherd.io About NGUYEN Anh Quynh > Nanyang Technological
More informationPresented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory CONTAINERS IN HPC WITH SINGULARITY
Presented By: Gregory M. Kurtzer HPC Systems Architect Lawrence Berkeley National Laboratory gmkurtzer@lbl.gov CONTAINERS IN HPC WITH SINGULARITY A QUICK REVIEW OF THE LANDSCAPE Many types of virtualization
More informationThe Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
More informationSecurity Testing. Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)
Security Testing TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular
More informationHackveda Training - Ethical Hacking, Networking & Security
Hackveda Training - Ethical Hacking, Networking & Security Day1: Hacking windows 7 / 8 system and security Part1 a.) Windows Login Password Bypass manually without CD / DVD b.) Windows Login Password Bypass
More informationProgram Analysis Tools. Edgar Barbosa SyScan360 Beijing
Program Analysis Tools Edgar Barbosa SyScan360 Beijing - 2015 Who am I? Edgar Barbosa Senior Security Researcher - COSEINC Experience with Windows kernel rev eng and rootkits My current focus is on applications
More informationSpeeding up Linux TCP/IP with a Fast Packet I/O Framework
Speeding up Linux TCP/IP with a Fast Packet I/O Framework Michio Honda Advanced Technology Group, NetApp michio@netapp.com With acknowledge to Kenichi Yasukata, Douglas Santry and Lars Eggert 1 Motivation
More informationPenetration Testing with Kali Linux
Penetration Testing with Kali Linux PWK Copyright Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security No part of this publication, in whole or in part, may
More informationJOE ROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION
JOE ROZNER / @JROZNER RE-TARGETABLE GRAMMAR BASED TEST CASE GENERATION 2 TESTING PARSERS IS HARD 3 HOW WE GOT HERE Mostly black box (ish) implementation of complex languages (context-free-ish) ~35k lines
More informationEnhancing Memory Error Detection for Large-Scale Applications and Fuzz testing
Enhancing Memory Error Detection for Large-Scale Applications and Fuzz testing Wookhyun Han, Byunggil Joe, Byoungyoung Lee *, Chengyu Song, Insik Shin KAIST, * Purdue, UCR 1 Memory error Heartbleed Shellshock
More informationStructure-aware fuzzing
Structure-aware fuzzing for real-world projects Réka Kovács Eötvös Loránd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -> growing
More informationRemote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Remote Exploit Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout C Arrays
More informationC o n t e n t S i n D e ta i l FOrewOrd by Matt Graeber xii PreFaCe xvii C# CraSH COurSe FuzzinG and exploiting xss and SQL injection
Foreword by Matt Graeber xii Preface xvii Why Should I Trust Mono?... xviii Who Is This Book For?... xviii Organization of This Book... xix Acknowledgments... xxi A Final Note... xxi 1 C# Crash Course
More informationBuilding loosely coupled and scalable systems using Event-Driven Architecture. Jonas Bonér Patrik Nordwall Andreas Källberg
Building loosely coupled and scalable systems using Event-Driven Architecture Jonas Bonér Patrik Nordwall Andreas Källberg Why is EDA Important for Scalability? What building blocks does EDA consists of?
More informationMBFuzzer - MITM Fuzzing for Mobile Applications
MBFuzzer - MITM Fuzzing for Mobile Applications Fatih Özavcı Mentor of MBFuzer @ yakindanegitim.org fatih.ozavci at gamasec.net gamasec.net/fozavci Scope Yakindan Egitim Project Security Vulnerabilities
More informationLecture 4 Processes. Dynamic Analysis. GDB
Lecture 4 Processes. Dynamic Analysis. GDB Computer and Network Security 23th of October 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 4, Processes. Dynamic Analysis. GDB 1/45
More informationInternet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016
Internet Technology 06. Exam 1 Review Paul Krzyzanowski Rutgers University Spring 2016 March 2, 2016 2016 Paul Krzyzanowski 1 Question 1 Defend or contradict this statement: for maximum efficiency, at
More informationICS 351: Networking Protocols
ICS 351: Networking Protocols IP packet forwarding application layer: DNS, HTTP transport layer: TCP and UDP network layer: IP, ICMP, ARP data-link layer: Ethernet, WiFi 1 Networking concepts each protocol
More informationMASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab
MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE HC Ma @ Tencent s XuanwuLab whoami Security Researcher@ Used to doing Chemistry; Interested in: Console Hacking; Embedded Device Security; Firmware Reverse
More informationInternet Technology 3/2/2016
Question 1 Defend or contradict this statement: for maximum efficiency, at the expense of reliability, an application should bypass TCP or UDP and use IP directly for communication. Internet Technology
More information3. Penetration Testing
Reading This lecture McGraw: Ch.6 CYSE 411/AIT 681 Secure Software Engineering Topic #5. Seven Software Security Touchpoints (II) Instructor: Dr. Kun Sun 2 Seven Touchpoints 1. Code review 2. Architectural
More informationSecurity Testing. John Slankas
Security Testing John Slankas jbslanka@ncsu.edu Course Slides adapted from OWASP Testing Guide v4 CSC 515 Software Security What is Security Testing? Validate security controls operate as expected What
More informationCYSE 411/AIT 681 Secure Software Engineering. Topic #5. Seven Software Security Touchpoints (II) Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #5. Seven Software Security Touchpoints (II) Instructor: Dr. Kun Sun Reading This lecture McGraw: Ch.6 2 Seven Touchpoints 1. Code review 2. Architectural
More informationNetwork File System (NFS)
Network File System (NFS) Nima Honarmand User A Typical Storage Stack (Linux) Kernel VFS (Virtual File System) ext4 btrfs fat32 nfs Page Cache Block Device Layer Network IO Scheduler Disk Driver Disk NFS
More informationWedge: Splitting Applications into Reduced-Privilege Compartments
Wedge: Splitting Applications into Reduced-Privilege Compartments Andrea Bittau Petr Marchenko Mark Handley Brad Karp University College London April 17, 2008 Vulnerabilities threaten sensitive data Exploits
More informationBest Practices for Developing & Deploying Java Applications with Docker
JavaOne 2017 CON7957 Best Practices for Developing & Deploying Java Applications with Docker Eric Smalling - Solution Architect, Docker Inc. @ericsmalling Who Am I? Eric Smalling Solution Architect Docker
More informationAndrés Riancho sec.com H2HC, 1
Andrés Riancho andres@bonsai-sec.com sec.com H2HC, HC, Brazil - 2009 1 Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion
More informationElasterStack 3.2 User Administration Guide - Advanced Zone
ElasterStack 3.2 User Administration Guide - Advanced Zone With Advance Zone Configuration TCloud Computing Inc. 6/22/2012 Copyright 2012 by TCloud Computing, Inc. All rights reserved. This document is
More informationEvaluation Criteria for Web Application Firewalls
Evaluation Criteria for Web Application Firewalls Ivan Ristić VP Security Research Breach Security 1/31 Introduction Breach Security Global headquarters in Carlsbad, California Web application security
More informationL4/Darwin: Evolving UNIX. Charles Gray Research Engineer, National ICT Australia
L4/Darwin: Evolving UNIX Charles Gray Research Engineer, National ICT Australia charles.gray@nicta.com.au Outline 1. Project Overview 2. BSD on the Mach microkernel 3. Porting Darwin to the L4 microkernel
More informationAvi Networks Technical Reference (16.3)
Page 1 of 7 view online A TCP/UDP profile determines the type and settings of the network protocol that a subscribing virtual service will use. It sets a number of parameters, such as whether the virtual
More informationINF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi
INF5290 Ethical Hacking Lecture 3: Network reconnaissance, port scanning Universitetet i Oslo Laszlo Erdödi Lecture Overview Identifying hosts in a network Identifying services on a host What are the typical
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationFuzzilli. (Guided-)fuzzing for JavaScript engines. Samuel Groß
Fuzzilli (Guided-)fuzzing for JavaScript engines Samuel Groß (saelo@google.com) Motivation Cool bugs in JS engine runtime implementations, JIT compilers, etc. var a = [1, 2, 3, 4, 5]; var i = {}; i.valueof
More informationJuwei Lin. - Joined TrendMicro Since Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting
Juwei Lin - @panicaii - Joined TrendMicro Since 2013 - Windows Kernel/Rootkit/Bootkit - Ransomware Decryption - ios/android/mac Vulnerability Hunting Lilang Wu - @Lilang_Wu - Joined Trend Micro Since 2016
More informationSandwiches for everyone
Inf2C :: Computer Systems Today s menu ( And finally, monsieur, a wafer-thin mint ) Notes on security Or, why safety is an illusion, why ignorance is bliss, and why knowledge is power Stack overflows Or,
More informationFinding media bugs in Android using file format fuzzing. Costel Maxim Intel OTC Security
Finding media bugs in Android using file format fuzzing Costel Maxim Intel OTC Security 1 Agenda File format fuzzing Generate high-quality corpus of files Fuzzing the Stagefright Framework Logging & Triage
More informationReverse Engineering. Class 6. Fuzzing. Reverse Engineering Class 6 Martin Balao martin.uy/reverse v1.0 EN CC BY-SA
Reverse Engineering Class 6 Fuzzing 1 Fuzzing Grey box testing May be guided by reverse engineering Send, in an automatized way, valid and invalid inputs to an application with the goal of triggering bad
More informationIntegration of the softscheck Security Testing Process into the V-Modell
Integration of the softscheck Security Testing Process into the V-Modell Wilfried Kirsch, Prof. Dr. Hartmut Pohl softscheck GmbH Köln Büro: Bonnerstr. 108. 53757 Sankt Augustin www. softscheck.com Products
More information12d Synergy Requirements
This document outlines the requirements for a 12d Synergy implementation. The server requirements may differ based on the number of users. Operating below these minimum requirements will put you in an
More informationSupervisor as a Platform. OSCON 2008 Mike Naberezny
Supervisor as a Platform OSCON 2008 Mike Naberezny About Me http://mikenaberezny.com http://maintainable.com http://ohloh.net/accounts/mnaberez Goals Quickly learn the basics of Supervisor and how to get
More informationHack and Slash with Pythonect. Itzik Kotler Creator and Lead Developer of Pythonect and Hackersh
Hack and Slash with Pythonect Itzik Kotler Creator and Lead Developer of Pythonect and Hackersh Pythonect Pythonect is a portmanteau of the words Python and Connect New, experimental, general-purpose dataflow
More informationCoverage-guided Fuzzing of Individual Functions Without Source Code
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results
More informationFortiTester Handbook VERSION 2.5.0
FortiTester Handbook VERSION 2.5.0 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com
More informationConfigure Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Service Settings on a Switch
Configure Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Service Settings on a Switch Objective Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are transportation
More informationThis release of the product includes these new features that have been added since NGFW 5.7.
Release Notes Revision A McAfee Next Generation Firewall 5.8.3 Contents About this release New features Enhancements Changes Known limitations Resolved issues System requirements Installation instructions
More informationhaltdos - Web Application Firewall
haltdos - DATASHEET Delivering best-in-class protection for modern enterprise Protect your website against OWASP top-10 & Zero-day vulnerabilities, DDoS attacks, and more... Complete Attack Protection
More informationrfs Remote File System Softwarepraktikum für Fortgeschrittene
rfs Remote File System Softwarepraktikum für Fortgeschrittene Parallele und Verteilte Systeme Institut für Informatik Ruprecht-Karls-Universität Heidelberg Michael Kuhn Betreuer: Julian Kunkel 2009-07-09
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationMetasm. a ruby (dis)assembler. Yoann Guillot. 20 october 2007
Metasm a ruby (dis)assembler Yoann Guillot 20 october 2007 Metasm Presentation I am Yoann Guillot I work for Sogeti/ESEC in the security R&D lab Metasm HACK.LU 2007 2 / 23 Plan Metasm 1 Metasm 2 Metasm
More informationImproving Linux Development with better tools. Andi Kleen. Oct 2013 Intel Corporation
Improving Linux Development with better tools Andi Kleen Oct 2013 Intel Corporation ak@linux.intel.com Linux complexity growing Source lines in Linux kernel All source code 16.5 16 15.5 M-LOC 15 14.5 14
More information"Secure" Coding Practices Nicholas Weaver
"Secure" Coding Practices based on David Wagner s slides from Sp 2016 1 Administrivia Computer Science 161 Fall 2016 2 3 This is a Remarkably Typical C Problem Computer Science 161 Fall 2016 if ((options
More informationThe Pennsylvania State University The Graduate School College of Engineering EXTENDING VULNERABILITY DISCOVERY WITH FUZZING
The Pennsylvania State University The Graduate School College of Engineering EXTENDING VULNERABILITY DISCOVERY WITH FUZZING AND SYMBOLIC EXECUTION TO REALISTIC APPLICATIONS A Thesis in Computer Science
More informationFUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM
FUZZING JAVASCRIPT ENGINES FOR FUN & PROFIT AREUM LEE@SSG SINGI@THEORI HITBAMS2018 - FUZZING JAVASCRIPT ENGINES FOR FUN AND PROFIT AREUM LEE Areum Lee Member @ SSG Undergrad student @ Sejong Univ Former
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationFuzzing the easy way, using Zulu
An NCC Group Publication Fuzzing the easy way, using Zulu Prepared by: Andy Davis Research Director andy.davis at nccgroup dot com Contents 1 Introduction... 3 2 Tutorial One: Zulu basics... 4 3 Tutorial
More informationIoT The gift that keeps on giving
IoT The gift that keeps on giving Contributors labs@bitdefender.com Radu Alexandru Basaraba - rbasaraba@bitdefender.com Alexandru Lazar allazar@bitdefender.com Mihai Moldovan - mimoldovan@bitdefender.com
More informationRelease Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8
Release Notes for Epilog for Windows v1.7/v1.8 About this document InterSect Alliance International Pty Ltd Page 1 of 29 This document provides release notes for Snare Enterprise Epilog for Windows release
More informationLecture 4: Threats CS /5/2018
Lecture 4: Threats CS 5430 2/5/2018 The Big Picture Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures. Once Upon a Time Bugs "bug":
More informationPyNetSim A modern INetSim Replacement. Jason Jones FIRST 2017
PyNetSim A modern INetSim Replacement Jason Jones FIRST 2017 BackGround Why? Research teams may need a simulated environment because They are not allowed to directly contact malware C2s Trying to avoid
More informationSONiC Software Subsystems SONiCSoftware Subsystems Overview Overview
SONiC Software Subsystems SONiCSoftware Subsystems Overview Overview OCP workshop Aug 2018 OCP workshop Aug 2018 Rodny Molina Linkedin rmolina@linkedin.com SONiC Software Subsystems. SONiC Subsystems Interactions.
More informationProject #1: Tracing, System Calls, and Processes
Project #1: Tracing, System Calls, and Processes Objectives In this project, you will learn about system calls, process control and several different techniques for tracing and instrumenting process behaviors.
More informationCS 155: Real-World Security
CS 155: Real-World Security April 14, 2016 Alex Stamos CSO, Facebook Why are you here? Agenda We are going to discuss: How bugs are found How defense works in the real world We will walk through some:
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationharm nium Mahesh Balakrishnan MSR Helgi Kr. Sigurbjarnarson RU Ymir Vigfusson RU Pétur O. Ragnarsson RU
harm nium Helgi Kr. Sigurbjarnarson RU Pétur O. Ragnarsson RU Ymir Vigfusson RU Mahesh Balakrishnan MSR VM VM Host cannot reclaim space from virtual disk Hypervisor VM Virtual disk cannot expand beyond
More informationMonitoring Network File Systems
Monitoring Network File Systems eg Enterprise v6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be
More informationFuzzgrind: an automatic fuzzing tool
Fuzzgrind: an automatic fuzzing tool 1/55 Fuzzgrind: an automatic fuzzing tool Gabriel Campana Sogeti / ESEC gabriel.campana(at)sogeti.com Fuzzgrind: an automatic fuzzing tool 2/55 Plan 1 2 3 4 Fuzzgrind:
More informationDeterministic Process Groups in
Deterministic Process Groups in Tom Bergan Nicholas Hunt, Luis Ceze, Steven D. Gribble University of Washington A Nondeterministic Program global x=0 Thread 1 Thread 2 t := x x := t + 1 t := x x := t +
More information