My presentation for the DIMVA 2020 conference about the security of application installers. I show the operation dynamics of the repositories and reverse engineer some application installers to show their vulnerabilities, such as to man-in-the-middle attacks.
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.
It's a pivotal challenge to update the software in embedded systems due to many restrictions such as unreliable network and power supply, limited bandwidth, harsh environment, etc. This slide aims to provide the background knowledge and the open source tool to achieve the software update in embedded systems.
Introduction to Civil Infrastructure PlatformSZ Lin
CIP is target to establish an open source base layer of industrial grade software to enable the use and implementation of software. This slide will introduce the current status and road map in CIP
Manage kernel vulnerabilities in the software development lifecycleSZ Lin
This slide deck aims to introduce the methodology in managing the Linux kernel vulnerabilities in the software development lifecycle (SLDC) to reduce the maintenance effort.
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
Take a step forward from user to maintainer or developer in open source secur...SZ Lin
There are a variety of high-quality open source security-related tools available in penetration testing tools, forensics tools, hardening tools, fuzz tools, and network monitoring tools. These tools could be used freely; however, we might face some issues while using it. Therefore, it is essential to have the ability to maintain or develop these tools. In this slide, SZ Lin introduces Security Tools Packaging Team in Debian; this team aims to maintain collaboratively many security tools and merge back tools packaged by security-oriented Debian derivatives (e.g., Kali). Also, SZ shares the experience in discussing and collaborating with open source maintainers and developers in open source security-related tools.
It's a pivotal challenge to update the software in embedded systems due to many restrictions such as unreliable network and power supply, limited bandwidth, harsh environment, etc. This slide aims to provide the background knowledge and the open source tool to achieve the software update in embedded systems.
Introduction to Civil Infrastructure PlatformSZ Lin
CIP is target to establish an open source base layer of industrial grade software to enable the use and implementation of software. This slide will introduce the current status and road map in CIP
Manage kernel vulnerabilities in the software development lifecycleSZ Lin
This slide deck aims to introduce the methodology in managing the Linux kernel vulnerabilities in the software development lifecycle (SLDC) to reduce the maintenance effort.
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
Using open source software to build an embedded Linux platform from scratch.
Building an embedded Linux platform is like a puzzle; placing the suitable software components in the right positions will constitute an optimal platform. However, selecting suitable components is difficult since it depends on different application scenarios. The essential components of an embedded Linux platform include the bootloader, Linux kernel, toolchain, root filesystem; it also needs the tools for image generation, upgrades, and testing. There are abundant resources in the Linux ecosystem with these components and tools; however, selecting the suitable modules and tools is still a key challenge for system designers.
Using open source software to build an industrial grade embedded linux platfo...SZ Lin
Building an embedded Linux platform is like a puzzle; placing the suitable software components in the right positions will constitute an optimal platform. However, selecting suitable components is difficult since it depends on different application scenarios. The essential components of an embedded Linux platform include the bootloader, Linux kernel, toolchain, root filesystem; it also needs the tools for image generation, upgrades, and testing. There are abundant resources in the Linux ecosystem with these components and tools; however, selecting the suitable modules and tools is still a key challenge for system designers.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
(Embedded Linux Conference Europe 2014)
Linux uses many kind of embedded products. The products include not only consumer electronics but also control systems such as programmable logic controllers. There are many type of infrastructure systems and each system has different technical requirements. The requirements include not only real-time performance but also reliability-related functions. The infrastructure systems have to meet all the requirements. This presentation gives a summary of our study and development to adapt the Linux to infrastructure systems. Then we discuss the direction of future development. Please note, this presentation doesn't focus on a specific product.
Long-term Maintenance Model of Embedded Industrial Linux DistributionSZ Lin
To introduce a robust, secure and reliable platform for the industrial environments is a key challenge; moreover, the platform needs to survive for a long time (more than 10+ years). There are many good solutions aiming to meet these requirements, such as LTSI (Long Term Support Initiative) and CIP (Civil Infrastructure Platform). However, it still needs a high amount of maintenance and development costs in handling SoC/ hardware board in-house patch, non-upstream driver and keep source code consistent with different SoC and platform afterwards.
In this presentation, SZ Lin will introduce how to operate long-term maintenance model of embedded industrial Linux distribution. In addition, he will also address the building, deploying and testing architecture and workflow for producing a robust, secure and reliable platform.
My #hacktrickconf presentation about Joshua Drake's Stagefright vulnerability.
This is the English version of my presentation:
http://www.slideshare.net/oguzhantopgul/androidin-yeni-kabusu-medya-dosyalari-media-files-androids-new-nightmare-52578473
I tried to explain the details of CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution vulnerability
Stagefright affects over 90% of Android devices and will cause one of the largest security update. However, many news reports in Japan were flawed and caused confusions.
Dipping Your Toes Into Cloud Native Application DevelopmentMatthew Farina
Presented at CloudDevelop 2016
Building cloud native applications in containers is a new hot topic. Netflix and Google are two prime examples that have been doing it successfully for some time. Some of the new exciting projects like Docker and Kubernetes are focused on cloud native applications in containers. There are supposed to be numerous benefits including the ability to scale applications out easily while doing development on small systems like laptops, the ability for the system to handle some operational problems, and the capability to safely deploy updates to production many times per day. But, what does this look like in practice and how do you start the move to cloud native and containerized applications? In this session we'll look at what makes up a cloud native application, how they work, and how you can start small. We'll look at applications from an architecture and process point of view along with how you can deploy them to AWS, Azure, or Google Cloud. You'll walk away ready to start development on a cloud native app.
Application Security Guide for Beginners Checkmarx
This beginner’s guide to application security focuses on the main concepts and keywords used in the Application Security domain. From a secure software development lifecycle (SDLC) to the top threats facing applications and their impacts, this guide covers it all!
This guide is divided into the following categories:
-Code DevelopmentMethodologies
-Code
-Application SecuritySolutions
-Common threats and their impacts
Design, Build,and Maintain the Embedded Linux PlatformSZ Lin
Using open source software to build an embedded Linux platform from scratch.
Building an embedded Linux platform is like a puzzle; placing the suitable software components in the right positions will constitute an optimal platform. However, selecting suitable components is difficult since it depends on different application scenarios. The essential components of an embedded Linux platform include the bootloader, Linux kernel, toolchain, root filesystem; it also needs the tools for image generation, upgrades, and testing. There are abundant resources in the Linux ecosystem with these components and tools; however, selecting the suitable modules and tools is still a key challenge for system designers.
Using open source software to build an industrial grade embedded linux platfo...SZ Lin
Building an embedded Linux platform is like a puzzle; placing the suitable software components in the right positions will constitute an optimal platform. However, selecting suitable components is difficult since it depends on different application scenarios. The essential components of an embedded Linux platform include the bootloader, Linux kernel, toolchain, root filesystem; it also needs the tools for image generation, upgrades, and testing. There are abundant resources in the Linux ecosystem with these components and tools; however, selecting the suitable modules and tools is still a key challenge for system designers.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
(Embedded Linux Conference Europe 2014)
Linux uses many kind of embedded products. The products include not only consumer electronics but also control systems such as programmable logic controllers. There are many type of infrastructure systems and each system has different technical requirements. The requirements include not only real-time performance but also reliability-related functions. The infrastructure systems have to meet all the requirements. This presentation gives a summary of our study and development to adapt the Linux to infrastructure systems. Then we discuss the direction of future development. Please note, this presentation doesn't focus on a specific product.
Long-term Maintenance Model of Embedded Industrial Linux DistributionSZ Lin
To introduce a robust, secure and reliable platform for the industrial environments is a key challenge; moreover, the platform needs to survive for a long time (more than 10+ years). There are many good solutions aiming to meet these requirements, such as LTSI (Long Term Support Initiative) and CIP (Civil Infrastructure Platform). However, it still needs a high amount of maintenance and development costs in handling SoC/ hardware board in-house patch, non-upstream driver and keep source code consistent with different SoC and platform afterwards.
In this presentation, SZ Lin will introduce how to operate long-term maintenance model of embedded industrial Linux distribution. In addition, he will also address the building, deploying and testing architecture and workflow for producing a robust, secure and reliable platform.
My #hacktrickconf presentation about Joshua Drake's Stagefright vulnerability.
This is the English version of my presentation:
http://www.slideshare.net/oguzhantopgul/androidin-yeni-kabusu-medya-dosyalari-media-files-androids-new-nightmare-52578473
I tried to explain the details of CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution vulnerability
Stagefright affects over 90% of Android devices and will cause one of the largest security update. However, many news reports in Japan were flawed and caused confusions.
Dipping Your Toes Into Cloud Native Application DevelopmentMatthew Farina
Presented at CloudDevelop 2016
Building cloud native applications in containers is a new hot topic. Netflix and Google are two prime examples that have been doing it successfully for some time. Some of the new exciting projects like Docker and Kubernetes are focused on cloud native applications in containers. There are supposed to be numerous benefits including the ability to scale applications out easily while doing development on small systems like laptops, the ability for the system to handle some operational problems, and the capability to safely deploy updates to production many times per day. But, what does this look like in practice and how do you start the move to cloud native and containerized applications? In this session we'll look at what makes up a cloud native application, how they work, and how you can start small. We'll look at applications from an architecture and process point of view along with how you can deploy them to AWS, Azure, or Google Cloud. You'll walk away ready to start development on a cloud native app.
Application Security Guide for Beginners Checkmarx
This beginner’s guide to application security focuses on the main concepts and keywords used in the Application Security domain. From a secure software development lifecycle (SDLC) to the top threats facing applications and their impacts, this guide covers it all!
This guide is divided into the following categories:
-Code DevelopmentMethodologies
-Code
-Application SecuritySolutions
-Common threats and their impacts
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
With the rise of agile development, software teams all over the world embrace faster release cycles as *the* way to incorporate customer feedback into product development processes. Yet, faster release cycles imply rethinking the traditional notion of software quality: agile teams must balance reliability (minimize known defects) against agility (maximize ease of change). This talk will explore the state-of-the-art in software test automation and the opportunities this may present for maintaining this balance. We will address questions like: Will our test suite detect critical defects early? If not, how can we improve our test suite? Where should we fix a defect?
(Keynote for the SHIFT 2020 and IWSF 2020 Workshops, October 2020)
The truth is that money can’t buy security just as it cannot buy happiness. Ransomware has become a cybercriminal’s most profitable enterprise, and something that IT professionals and even the general public now fear. Ransomware is actually pretty simple and unsophisticated code, and at times the damage can stopped with some simple tricks. Best of all, these are FREE!
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
On December 9th, a Chinese researcher posted his now-monumental discovery on Twitter: there was a Remote Code Execution vulnerability in the popular Apache Log4j library. This library is used in millions of commercial and open-source applications. Ranked 10 out of 10 in terms of severity, CVE-2021-44228, also known as Log4Shell, is capable of giving attackers full control over targeted systems.
The exploit takes advantage of Apache’s Java Naming and Directory Interface (JNDI), which provides programmers with an easy way to process remote commands and remote objects by calling external objects. However, with Log4Shell, attackers can inject their own code into the JNDI lookup command: code that will then be executed on the targeted system.
Supply Chain Security for Containerised Workloads - Lee Chuk MunnNUS-ISS
Containers have emerged as an indispensable component of modern cloud-native applications, serving diverse roles from development environments to application distribution and deployment on platforms like Azure's App Service and Kubernetes. In this presentation, we will delve into a suite of powerful tools designed to ensure the adoption of best practices in container management. You'll gain insights into how to scan container images rigorously, identifying and mitigating vulnerabilities effectively. We'll also explore the art of generating comprehensive software bill of materials (SBOM) for your containers and the significance of signing container images for enhanced security. The ultimate goal of this presentation is to empower you with the knowledge and skills necessary to seamlessly integrate these tools and practices into your CI (Continuous Integration) pipelines. By the end of this session, you'll be well-equipped to fortify your container workflows, delivering secure and robust cloud-native applications that thrive in today's dynamic digital landscape.
Outdated training deck for Prometheus monitoring tool - shared as a basis for newer content for potential MeetUp and Conference talks. I'm sharing it since there is some intrinsic value remaining.
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
My talk at Federal University of Minas Gerais (UFMG) to present some aspects of modern malware research and some of my contributions to the field (derived from my PhD defense). I cover all steps of a detection pipelines: threat hunting, malware triage, sandbox execution, threat intelligence, and endpoint protection.
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
My keynote at the Brazilian Security Symposium (SBSeg), as part of the Computer Forensics Workshop (WFC), talking about fileless malware, the challenges for antivirus detection, and new detection strategies. I present the prototype of a hardware AV with integrated signature matching to decrease the performance penalty imposed by software-only AVs.
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
My talk about generating malware automatically using GPT-3, the differences for ChatGPT, limits, and possibilities. Multiple malware variants are generated and submitted to Antivirus (AV) scans. We also present a defense perspective on how defenders can use aritificial intelligence to deobfuscate malware samples.
[HackInTheBOx] All You Always Wanted to Know About AntivirusesMarcus Botacin
My talk at the HackInTheBox security conference Amsterdam 2023 about the reverse engineering of AV engines, covering signatures, whitelists, blocklists, kernel drivers, hooking, and much more.
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!Marcus Botacin
My talk at the USENIX Enigma 2023 discussing challenges and pitfalls in malware research. I discuss 5 aspects to change, from diversity of research work to reproducibility crisis.
In this talk, I cover the basic idea of hardware-assisted, two-level architectures for security monitoring and its applications to the malware detection problem. I propose detection triggers involving branch predictor, MMU, memory controller, co-processors, and FPGAs.
Talk presented at the Real Time systems group seminar series at the University of York.
How do we detect malware? A step-by-step guideMarcus Botacin
Slides from my talk at Texas A&M University (TAMU) seminar series (2002), where I present a landscape of the malware detection pipeline currently used by the industry and how academia can contribute to that. I present new solutions ranging from the use of ML, sandbox solutions, and hardware support for the development of more performance-efficient Antivirus.
On the Malware Detection Problem: Challenges & Novel ApproachesMarcus Botacin
Marcus Botacin's PhD Defense at Federal University of Paraná (UFPR).
Advisor: Dr André Grégio
Co-Advisor: Paulo de Geus
Evaluation Committee:
Dr Leigh Metcalf, Dr Leyla Bilge, Daniel Alfonso Oliveira
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...Marcus Botacin
Describing our experience in the MLSec competition for the seminar series of the University of Waikato. Presenteed by Fabricio Ceschin and Marcus Botacin from the Federal University of Paraná.
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
Proposal of a hardware-based AV embedded within the memory controller to mitigate the performance penalty when searching for fileless malware samples. Presented at 2020 MEMSYS.
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Marcus Botacin
My talk at USENIX ENIGMA 2021 about Brazilian Financial Malware. It encompasses desktop and mobile environments, analyzed both statically and dynamically.
Towards Malware Decompilation and ReassemblyMarcus Botacin
I present RevEngE, the Reverse Engineering Engine, a PoC for the debug-based decompilation approach. Presentation given at Reverse Engineering (ROOTS) confence in Vienna, Austria, 20219.
Malware Variants Identification in PracticeMarcus Botacin
Research project discussin how to identify malware variants in actual scenarios. We discuss same-behavior function replacement and the relevance of similarity and continence metrics.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
When stars align: studies in data quality, knowledge graphs, and machine lear...
On the Security of Application Installers & Online Software Repositories
1. Introduction Repositories Installers Trojanization Conclusion
On the Security of Application Installers & Online Software
Repositories
Marcus Botacin1 Giovanni Bert˜ao2 Paulo de Geus2 Andr´e Gr´egio1
Christopher Kruegel3 Giovanni Vigna3
1Federal University of Paran´a – Brazil (UFPR)
{mfbotacin,gregio}@inf.ufpr.br
2University of Campinas – Brazil (UNICAMP)
{bertao,paulo}@lasca.ic.unicamp.br
3University of California at Santa Barbara – USA (UCSB)
{chris,vigna}@ucsb.edu
2020
On the Security of Application Installers & Online Software Repositories 1 / 38 DIMVA 2020
4. Introduction Repositories Installers Trojanization Conclusion
Apps Stores
Figure: Android’s App Store.
On the Security of Application Installers & Online Software Repositories 4 / 38 DIMVA 2020
5. Introduction Repositories Installers Trojanization Conclusion
Desktop Software Repositories
Figure: Evaluated Repositories.
On the Security of Application Installers & Online Software Repositories 5 / 38 DIMVA 2020
6. Introduction Repositories Installers Trojanization Conclusion
Software Repositories
Figure: Software Inclusion.
On the Security of Application Installers & Online Software Repositories 6 / 38 DIMVA 2020
7. Introduction Repositories Installers Trojanization Conclusion
Software Repositories
Figure: Multiple Versions.
On the Security of Application Installers & Online Software Repositories 7 / 38 DIMVA 2020
8. Introduction Repositories Installers Trojanization Conclusion
Software Repositories
Figure: Repackaging.
On the Security of Application Installers & Online Software Repositories 8 / 38 DIMVA 2020
9. Introduction Repositories Installers Trojanization Conclusion
Software Repositories
Figure: Binary Replacement.
On the Security of Application Installers & Online Software Repositories 9 / 38 DIMVA 2020
10. Introduction Repositories Installers Trojanization Conclusion
Software Repositories
Figure: Security Checks.
On the Security of Application Installers & Online Software Repositories 10 / 38 DIMVA 2020
11. Introduction Repositories Installers Trojanization Conclusion
Software Repositories
Table: Repository Summary.
Repository Uploaded By Reviewed By Sponsored Ranking Servers Security Checks
FileHorse Users Site Internal/External
Cnet Users Site External*
FileHippo Site Site Internal
SourceForge Users Internal
Softpedia Users Site Internal/External
On the Security of Application Installers Online Software Repositories 11 / 38 DIMVA 2020
12. Introduction Repositories Installers Trojanization Conclusion
Research Questions
Repositories
How often do they replace binaries?
How fast do applications climb the rankings?
Installers
How do installers work?
Are they vulnerable?
Trojanization
Is there evidence of Trojanization?
Is Trojanization prevalent?
On the Security of Application Installers Online Software Repositories 12 / 38 DIMVA 2020
13. Introduction Repositories Installers Trojanization Conclusion
Methodology
Steps Tools
1 Scrapy: Daily crawl installer binaries.
2 AutoIT: Automate installers execution on a sandbox.
Figure: Automated Installation Example.
On the Security of Application Installers Online Software Repositories 13 / 38 DIMVA 2020
15. Introduction Repositories Installers Trojanization Conclusion
Dataset
Table: Dataset overview. The number of
unique files differs due to changes in distribution
over time.
Repository Programs (#) Unique Files (#)
FileHorse 82 314
Cnet 118 295
FileHippo 433 906
SourceForge 99 631
Softpedia 901 897
Total 1,633 2,935
Table: File sharing among
repositories. They usually do not
share files for the same programs.
Repositories Sharing Rate (%)
(Cnet, FileHorse) 48.04
(FileHippo, FileHorse) 17.65
(Cnet, FileHippo) 15.69
(FileHippo, Source Forge) 07.84
(Cnet, Softpedia) 04.90
(Cnet, Source Forge) 03.92
(FileHorse, Softpedia) 00.98
(FileHippo, Softpedia) 00.98
On the Security of Application Installers Online Software Repositories 15 / 38 DIMVA 2020
16. Introduction Repositories Installers Trojanization Conclusion
Dataset
Table: File types distribution.
Self-contained PE files are the
prevalent type of program installers.
Type Format Prevalence (%)
Java 0.67
ISO 1.04
Compressed 7-zip 0.37 RAR 0.30
File XZ 0.37 ZIP 20.47
Formats bzip2 0.37 gzip 1.34
Windows DOS 0.45 PE 65.63
Binaries .Net 0.67 PE+ 0.45
Other 7.87
Table: Binary file’s size distribution.
Small binaries are associated to
downloaders and large ones to droppers.
Interval (MB) Frequency Binaries(%)
[0.000, 0.400) 93 5.42
[0.400, 1.400) 128 7.46
[1.400, 5.000) 242 14.11
[5.000, 70.000) 619 36.08
[70.000, 150.400) 145 8.45
[150.400, 600.400) 105 6.12
[600.400, 888.000) 16 0.93
On the Security of Application Installers Online Software Repositories 16 / 38 DIMVA 2020
17. Introduction Repositories Installers Trojanization Conclusion
Installers Collection
0
100
200
300
400
500
600
700
800
900
1000
0 30 60 90 120 150
Hashes(#)
Days
Total Hashes per Repository
Softpedia
FileHippo
FileHorse
SourceForge
Cnet
Figure: Accumulative downloads for each
software repository.
0
20
40
60
80
100
120
0 30 60 90 120 150
Hashes(#)
Days
Daily Hashes per Repository
Softpedia
FileHippo
FileHorse
SourceForge
Cnet
Figure: Daily Downloads. FileHippo’s servers
were unreachable in the last week.
On the Security of Application Installers Online Software Repositories 17 / 38 DIMVA 2020
18. Introduction Repositories Installers Trojanization Conclusion
Evolution Strategy 1: Adding a new repository entry1
Figure: Ranking position changes of the
top-100 downloaded programs.
Figure: Distribution of Programs in
Ranking Positions.
1
Hypothesized based on the behavior of all installers, not only Trojanized ones.
On the Security of Application Installers Online Software Repositories 18 / 38 DIMVA 2020
19. Introduction Repositories Installers Trojanization Conclusion
Evolution Strategy 2: Replacing an existing binary2
Figure: Download of new (unique) files. Figure: Distributed Binaries Updates.
2
Hypothesized based on the behavior of all installers, not only Trojanized ones.
On the Security of Application Installers Online Software Repositories 19 / 38 DIMVA 2020
21. Introduction Repositories Installers Trojanization Conclusion
Installer Types
1 C: installer.exe|Write|C: UsersWin7AppDataLocalTemp {907
A1104 -E812 -4b5c -959B-E4DAB37A96AB } vsdrinst64.exe
2 C: installer.exe|Write|C: UsersWin7AppDataLocalTemp {907
A1104 -E812 -4b5c -959B-E4DAB37A96AB } Install.exe
Code 1: Dropper Installer. Some Installers drop embedded payloads to disk and
launch them as new processes.
1 GET 200.143.247.9:80 (et1.zonealarm.com/V1?
2 TW9kdWxlPWluc3RhbGxlch98U2Vzc2lvbj0wYzNjNDA1OD )
Code 2: Downloader Installer. Some Installers perform (encoded) network
requests to retrieve payloads from Internet.
On the Security of Application Installers Online Software Repositories 21 / 38 DIMVA 2020
22. Introduction Repositories Installers Trojanization Conclusion
Downloaders
Figure: Internet-Based Installers. Some applications require Internet access for full software
installation.
On the Security of Application Installers Online Software Repositories 22 / 38 DIMVA 2020
23. Introduction Repositories Installers Trojanization Conclusion
System Changes
Table: Top-5 file extensions most written by installers.
Extension DLL EXE TMP VPX SYS
Files (#) 6,949 1,309 1,302 811 790
1 C: UsersWin7AppDataLocalTempBullGuard Backup Setup.exe|
SetValueKey|HKUuserid SoftwareMicrosoftWindows
CurrentVersion Internet Settings|ProxyEnable |1
Code 3: Proxy Definition. Some installers change system-wide proxy settings.
On the Security of Application Installers Online Software Repositories 23 / 38 DIMVA 2020
24. Introduction Repositories Installers Trojanization Conclusion
Persistence
1 C: UsersWin7AppDataLocalTemp 7 zS4DEAD364Stub.exe|
SetValueKey|HKUuserid SoftwareMicrosoftWindows
CurrentVersion RunOnce|PandaRunOnce|
Code 4: Persistence. Some installers set executable paths in the Registry to be
executed after a system reboot.
1 C: UsersWin7AppDataLocalTempajAE1E.exe|SetValueKey|HKLM
SOFTWAREWow6432NodeAVAST SoftwareBrowser|
installer_run_count |1
Code 5: Multi-Step Installers. They control how many times they will run.
On the Security of Application Installers Online Software Repositories 24 / 38 DIMVA 2020
25. Introduction Repositories Installers Trojanization Conclusion
Network Usage
1 GET iavs9x.u.avast.com/iavs9x/
avast_free_antivirus_setup_online_x64 .exe
2 GET download.bitdefender.com/windows/bp/all/avfree_64b.exe
3 GET iavs9x.avg.u.avcdn.net/avg/iavs9x/
avg_antivirus_free_setup_x64 .exe
4 GET dm.kaspersky -labs.com/en/KAV /19.0.0.1088/ startup.exe
5 GET download.bullguard.com/ BullGuard190AV_x64_190411 .exe
Code 6: Unencrypted Download by Installers. The use of HTTP-only
connections may make users vulnerable.
On the Security of Application Installers Online Software Repositories 25 / 38 DIMVA 2020
26. Introduction Repositories Installers Trojanization Conclusion
Network Attacks
Bad Practice
https://www.youtube.com/watch?v=dRI0J9TGqy4
Good Practice
https://www.youtube.com/watch?v=vGrLbFlyXb0
On the Security of Application Installers Online Software Repositories 26 / 38 DIMVA 2020
27. Introduction Repositories Installers Trojanization Conclusion
Installation Tracking
1 GET /v1/offer/campaignFilter /? bundleId=UT006campaignId =5
b6352b3ce72513ae0a6beef
2 GET sos.adaware.com|/v1/offer/campaignFilter /? bundleId=UT006
campaignId =5 b6352b3ce72513ae0a6beef
3 GET flow.lavasoft.com|/v1/event -stat?ProductID=ISType=
StubBundleStart
Code 7: Installation Tracking. Some installers sent back tracking information to
notify providers about the installation.
On the Security of Application Installers Online Software Repositories 27 / 38 DIMVA 2020
28. Introduction Repositories Installers Trojanization Conclusion
Uninstallers
1 C: UsersWin7AppDataLocalTemp {907 A1104 -E812 -4b5c -959B-
E4DAB37A96AB } Install.exe|Create|C: UsersWin7AppData
LocalTemp {907 A1104 -E812 -4b5c -959B-E4DAB37A96AB } Uninst.
exe
Code 8: Uninstaller Definition. Some Installers set uninstallers for the
applications.
1 C: Program Files (x86)GUM5D5C.tmpfmanUpdate.exe|SetValueKey
||HKUuserid SoftwarefmanUpdate| UninstallCmdLine |C:
UsersWin7AppDataLocalfmanUpdatefmanUpdate.exe /
uninstall
Code 9: Parameter-Based Uninstallers. They define command line parameters
for software removal.
On the Security of Application Installers Online Software Repositories 28 / 38 DIMVA 2020
29. Introduction Repositories Installers Trojanization Conclusion
Third-Party Components
1 C: installer 3 rdPartyAppGoogleToolBar
GoogleToolbarInstaller_zh -TW.exe
Code 10: Google Toolbar embedded as third-party extension of the main app.
1 HKCUSoftwareMicrosoftInternet ExplorerLinksBarItemCache
ToolBar|Add
Code 11: IE Settings Modification. New bookmarks, cookies, and configurations
set in the browser.
1 C: UsersWin7AppDataLocalTempis -3 ACQL.tmp
Advertising_english .exe
Code 12: Adware. The advertisement software is dropped from a file created by
the main installer.
On the Security of Application Installers Online Software Repositories 29 / 38 DIMVA 2020
30. Introduction Repositories Installers Trojanization Conclusion
Targeting Fingerprinting
1 C: Setup.exe|SetValueKey|HKCUuserid SoftwareMicrosoft
SQMClient|UserId |{ C2CFE0D4 -A3A2 -4458 -A73F -F16F10E4C0D7}
2 C: Setup.exe|SetValueKey|HKCUuserid SoftwareMicrosoft
SQMClient|UserId |{ EA0CB74D -DB5D -40EE -A402 -47 A97F23904E}
3 C: Setup.exe|SetValueKey|HKCUuserid SoftwareMicrosoft
SQMClient|UserId |{ E81A6607 -9EB3 -49BA -B354 -FA42817594BA}
Code 13: Tracking IDs of installers of distinct repositories. Each installer
presents a distinct tracking ID according the repository from which they were
downloaded.
On the Security of Application Installers Online Software Repositories 30 / 38 DIMVA 2020
32. Introduction Repositories Installers Trojanization Conclusion
Popularity
Figure: Security Warning. Trojanization has become popular to the point of some installers
warning users about this possibility.
On the Security of Application Installers Online Software Repositories 32 / 38 DIMVA 2020
33. Introduction Repositories Installers Trojanization Conclusion
AV Scans
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
Trojan PUA Win32/* Unsafe malw Adw Pack
Prevalence(%)
Families
AV Detection Labels Distribution
Label
Figure: AV Labels Distribution. Many
samples were considered either as malicious or
as Trojanized.
0
10
20
30
40
50
60
70
0 5 10 15 20 25 30 35
DetectedSamples(%)
AV ID (#)
Detected Trojans per AV
Figure: Trojanized Apps Detection per AV.
Distinct AVs present very distinct criteria and
thus detection rates.
On the Security of Application Installers Online Software Repositories 33 / 38 DIMVA 2020
34. Introduction Repositories Installers Trojanization Conclusion
Repositories
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
Trojan PUA Win32/* Unsafe malw Adw Pack
Prevalence(%)
Families
AV Detection Labels Distribution
Label
Figure: AV Labels Distribution. Many
samples were considered either as malicious or
as Trojanized.
0%
10%
20%
30%
40%
50%
Cnet FHorse FHippo SForge Spedia
Trojans(%)
Detected Trojan Distribution
Figure: Trojanized Apps Detection per
Repository. Distinct repositories present very
distinct rates.
On the Security of Application Installers Online Software Repositories 34 / 38 DIMVA 2020
36. Introduction Repositories Installers Trojanization Conclusion
Implications
For Users
Always prefer downloading from the official source.
For Repositories
Pay special attention to popular applications.
For Researchers
Scan binaries before assuming goodware ground-truth.
Make hashes available to ensure reproducibility.
On the Security of Application Installers Online Software Repositories 36 / 38 DIMVA 2020
37. Introduction Repositories Installers Trojanization Conclusion
A Possible Future
Figure: Microsoft’s App Store.
On the Security of Application Installers Online Software Repositories 37 / 38 DIMVA 2020
40. Introduction Repositories Installers Trojanization Conclusion
Installer’s Policies
Action
“We collect some limited information that your device and browser routinely make
available whenever you visit a website or interact with any online service.”
Goal
“We collect this data to improve the overall quality of the online experience, including
product monitoring, product improvement, and targeted advertising.”
Scope
“We may also include offers from third parties as part of the installation process for
our Software.”
On the Security of Application Installers Online Software Repositories 38 / 38 DIMVA 2020
41. Introduction Repositories Installers Trojanization Conclusion
Integrity Checking (Other Platforms)
Figure: Integrity check on a bank’s app.
On the Security of Application Installers Online Software Repositories 38 / 38 DIMVA 2020
42. Introduction Repositories Installers Trojanization Conclusion
Thank You (Once Again)!
Contact
E-mail: mfbotacin@inf.ufpr.br
Twitter: @MarcusBotacin
Source Code
Github:
https://github.com/marcusbotacin/Application.Installers.Overview
On the Security of Application Installers Online Software Repositories 38 / 38 DIMVA 2020