Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.
Static analysis Advantages:
Early detection of problems.
Full code coverage.
Great at finding typos and copy-paste errors.
Etc.
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
Abstract
My work on the Octeon port made possible for OpenBSD to run on the D-Link DSR line of mid-range routers and also improved all supported models through the drivers I wrote. I'm continuing my work on improving the OpenBSD experience on the Octeon products by enhancing network support (including advanced switch support among other things) and adding disk support via USB and CFI. This presentation summarizes the developments I brought and the obstacles I faced.
Speaker bio
Paul is an OpenBSD developer since 2008, involved in ACPI, suspend and resume, power management, mips64, porting and currently with a keen interest in the Loongson and Octeon platforms. Currently he's a freelancer and also studying for his PhD in Parallel Algorithms for Signal Processing. In the past he worked for a telephony company developing VoIP, Voicemail and related software and after that as an antivirus engine developer and reverse engineer. In his spare time he enjoys a good game of Go, running or hiking.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
This event is part of our ongoing series about IT Security. In this session, Carl Svensson, a security professional working in the Google Offensive Security team, gives us an introduction to Binary Exploitation. Watch the recording at https://dscmunich.de/binexp
Static analysis: looking for errors ... and vulnerabilities? Andrey Karpov
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.
Static analysis Advantages:
Early detection of problems.
Full code coverage.
Great at finding typos and copy-paste errors.
Etc.
Making OpenBSD Useful on the Octeon Network Gear by Paul Iroftieurobsdcon
Abstract
My work on the Octeon port made possible for OpenBSD to run on the D-Link DSR line of mid-range routers and also improved all supported models through the drivers I wrote. I'm continuing my work on improving the OpenBSD experience on the Octeon products by enhancing network support (including advanced switch support among other things) and adding disk support via USB and CFI. This presentation summarizes the developments I brought and the obstacles I faced.
Speaker bio
Paul is an OpenBSD developer since 2008, involved in ACPI, suspend and resume, power management, mips64, porting and currently with a keen interest in the Loongson and Octeon platforms. Currently he's a freelancer and also studying for his PhD in Parallel Algorithms for Signal Processing. In the past he worked for a telephony company developing VoIP, Voicemail and related software and after that as an antivirus engine developer and reverse engineer. In his spare time he enjoys a good game of Go, running or hiking.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
This event is part of our ongoing series about IT Security. In this session, Carl Svensson, a security professional working in the Google Offensive Security team, gives us an introduction to Binary Exploitation. Watch the recording at https://dscmunich.de/binexp
The NFL is the most popular professional sports league among U.S. fans. 111.3 Million people watched the 2012 super bowl. That's more than the 2012 Presidential debates with only 65.5 million viewers...
#Concussion #Football #Sports #ConcussionMovie
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
You use InfluxData to monitor the performance of your infrastructure and apps—so it is equally important to keep your InfluxEnterprise instance up and running. Tim Hall, InfluxData VP of Products, will outline why and how you can monitor InfluxEnterprise with InfluxDB.
Online Student Management
Online Student Management is an Integrated Application and it is a data warehouse of student and course information. A complete Web Based Application for all Kind of Education institution, which is completely web enabled & operates through Internet or LAN. Online Student Management is an integrated program automated, controls all the different processes & procedures involved from admission till certification of students in educational institutions.
The Online Student Management System is designed at integrating the four elements of an educational system - Management, Teachers, Students and Parents. Online Student Management starts from a simple student portfolio to a complex open communication channel which facilitates synchronization between the four elements with information and helps institutions be efficient and effective. For the Online Student Management Principal, Faculty, Student, Admin, Dean/HOD, Parent are the actors i.e., Users..
The NFL is the most popular professional sports league among U.S. fans. 111.3 Million people watched the 2012 super bowl. That's more than the 2012 Presidential debates with only 65.5 million viewers...
#Concussion #Football #Sports #ConcussionMovie
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
You use InfluxData to monitor the performance of your infrastructure and apps—so it is equally important to keep your InfluxEnterprise instance up and running. Tim Hall, InfluxData VP of Products, will outline why and how you can monitor InfluxEnterprise with InfluxDB.
Online Student Management
Online Student Management is an Integrated Application and it is a data warehouse of student and course information. A complete Web Based Application for all Kind of Education institution, which is completely web enabled & operates through Internet or LAN. Online Student Management is an integrated program automated, controls all the different processes & procedures involved from admission till certification of students in educational institutions.
The Online Student Management System is designed at integrating the four elements of an educational system - Management, Teachers, Students and Parents. Online Student Management starts from a simple student portfolio to a complex open communication channel which facilitates synchronization between the four elements with information and helps institutions be efficient and effective. For the Online Student Management Principal, Faculty, Student, Admin, Dean/HOD, Parent are the actors i.e., Users..
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
Taint scope
1. A Checksum-Aware Directed fuzzing
Tool for Automatic Software
Vulnerability Detection
Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1
1
Peking University, China
2
Texas A&M University, US
2. 2
Checksum – a way to check the integrity of data.
Used in network protocols and files.
data
Checksum function
data
Checksum field
Fuzzing – generating malformed inputs and
feeding them to the application.
Dynamic Taint Analysis – runs a program and
observes which computations are affected by
predefined taint sources (e.g. input)
3. 3
The
input mutation space is enormous .
Most
malformed inputs dropped at an early
stage, if the program employs a checksum
mechanism.
4. 4
1
2
3
4
5
6
7
8
9
10
11
12
13
14
void decode_image(FILE* fd){
...
int length = get_length(fd);
int recomputed_chksum = checksum(fd, length);
int chksum_in_file = get_checksum(fd);
//line 6 is used to check the integrity of inputs
if(chksum_in_file != recomputed_chksum)
error();
int Width = get_width(input_file);
int Height = get_height(input_file);
int size = Width*Height*sizeof(int);
int* p = malloc(size);
...
for(i=0; i<Height; i++){// read ith row to p
read_row(p+Width*i, i, fd);
5. 5
To infer whether/where a program checks the
integrity of input.
Identify which input bytes can flow into sensitive
points:
Taint analysis at byte level – monitors how application uses
the input data.
Create malformed input focusing the “hot bytes”.
Repair checksum fields in input, to expose
vulnerability.
Fully automatic
Found 27 new vulnerability – acrobat reader, google
picasa and more.
8. 8
Runs
the program with well-formed input.
Execution
Which input bytes related to arguments of API functions
(e.g.
monitor records:
malloc, strcpy) – “hot bytes” report.
Which bytes each conditional jump instruction depends on
(e.g.
JZ, JE, JB) – checksum report.
Considering
only data flow (no control flow).
9. 9
Instruments
instructions – movement (e.g.
MOV, PUSH), arithmetic (e.g. SUB,
ADD), logic (e.g. AND, XOR)
Taints all values written by an instruction
with union of all taint labels associated with
values used by that instruction.
Considering
also
eflags register.
eax {0x6, 0x7}, ebx {0x8, 0x9}
add eax, ebx
eax {0x6, 0x7, 0x8, 0x9}, eflags
10. 10
Input size is 1024 bytes
“hot bytes” report:
8
9
10
11
int Width = get_width(input_file);
int Height = get_height(input_file);
int size = Width*Height*sizeof(int);
int* p = malloc(size);
…
0x8048d5b: invoking malloc: [0x8,0xf]
…
12. 12
Checksum detector:
identify
potential checksum check points
the recomputed checksum value depends on
many input bytes
Instruments conditional jump. Before execution,
checks whether the number of marks associated
with eflags register exceeds a threshold.
Problem with decompressed bytes.
14. 14
Refinement:
Well-formed inputs can pass the checksum test,
but most malformed inputs cannot
Run well-formed inputs, identify the
always-taken and always-not-taken
instructions.
15. 15
Refinement:
Well-formed inputs can pass the checksum test,
but most malformed inputs cannot
Run well-formed inputs, identify the
always-taken and always-not-taken
instructions.
Run malformed inputs, also identify the
always-taken and always-not-taken
instructions.
16. 16
Refinement:
Well-formed inputs can pass the checksum test,
but most malformed inputs cannot
Run well-formed inputs, identify the
always-taken and always-not-taken
instructions.
Run malformed inputs, also identify the
always-taken and always-not-taken
instructions.
Identify the conditional jump
instructions that behaves completely
different when processing well-formed
and malformed inputs.
18. 18
Checksum detector:
Checksum
6
7
field identification
if(chksum_in_file != recomputed_chksum)
error();
Input bytes that affects chksum_in_file are
the checksum field.
19. 19
Generates
malformed test cases – feeds them
to the original or instrumented program.
According
to the bypass rules, alters the
execution traces at check points – sets the
eflags register.
20. 20
All
malformed test cases are constructed
based on the “hot bytes” information
Using attack heuristics:
bytes that influence memory allocation are set to small,
large or negative.
bytes that flow into string functions are replaced by
characters such as %n, %p.
Output
– test cases that could cause to crash
or consume 100% CPU.
21. 21
6
7
8
9
10
11
if(chksum_in_file != recomputed_chksum)
error();
int Width = get_width(input_file);
int Height = get_height(input_file);
int size = Width*Height*sizeof(int);
int* p = malloc(size);
Checksum report
…
0x8048d4f: JZ: 1024: [0x0,0x3ff]
…
Bypass info
0x8048d4f: JZ: always-taken
“hot bytes” report
…
0x8048d5b: invoking malloc: [0x8,0xf]
…
22. 22
6 if(chksum_in_file != recomputed_chksum)
7
error();
8
int Width = get_width(input_file);
9 Before executing 0x8048d4f,
int Height = get_height(input_file);
10 int size = Width*Height*sizeof(int);
11 the fuzzer sets the flag
int* p = malloc(size);
in
eflags
Checksum report
to an
…
0x8048d4f: JZ: 1024: [0x0,0x3ff]
…
Bypass info
0x8048d4f: JZ: always-taken
ZF
opposite value
…
“hot bytes” report
0x8048d5b: invoking malloc: [0x8,0xf]
…
23. 23
Fixing
is expensive - fixes checksum fields
only in test cases that caused crashing.
How?
Cr – row data in the checksum field
D – input data protected by checksum filed
Checksum() – the complete checksum algorithm
T – transformation
We want to pass the constraint:
Checksum(D) == T(Cr)
24. 24
Using symbolic execution to solve:
Checksum(D) == T(Cr)
Checksum(D) is a runtime determinable constant:
c== T(Cr)
Only Cr is a symbolic value.
Common transformations (e.g. converting from
hex/oct to decimal), can be solved by existing
solvers (STP).
25. 25
If the new test case cause the original
program to crash,
a potential vulnerability is detected!
32. 32
TaintScope
cannot deal with secure integrity
check schemes (e.g. cryptographic hash
algorithms, digital signature) – impossible to
generate valid test cases.
Limited effectiveness when all input data are
encrypted (tracking decrypted data).
Checksum check points identification can be
affected by the quality of inputs.
Not tracks control flow propagation.
Not all instructions of x86 are instrumented
by the execution monitor.
33. 33
TaintScope can perform:
Directed fuzzing
Identify which bytes flow into system/library
calls.
dramatically reduce the mutation space.
Checksum-aware
fuzzing
Disable checksum checks by control flow
alternation.
Generate correct checksum fields in invalid
inputs.