1) Security workarounds (SWRRs) aim to rapidly neutralize software vulnerabilities without introducing new bugs, by leveraging existing error handling mechanisms to disable vulnerable code.
2) An evaluation of SWRRs on 5 Linux applications found they could neutralize 53% of vulnerabilities unobtrusively, which is over 2 times as many as configuration workarounds alone.
3) The Talos tool automatically generates SWRRs by analyzing source code to identify error handling patterns and adding minimal instrumentation, requiring low developer effort. SWRRs introduce an average 1.3% runtime overhead.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Demonstrates remote code execution in the presence of modern OS security features. Stresses the importance of secure programming. Explains the binary reverse engineering process.
Lesser Known Security Problems in PHP ApplicationsZendCon
When the security of PHP applications is in focus usually standard XSS vulnerabilities, SQL Injections, Remote File Inclusions, Header Injections and CSRF are discussed. However there are a number of different vulnerability classes and non obvious exploitation paths that are as dangerous but lesser known. This talk will give an insight in such vulnerabilities and how to defend against them.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Demonstrates remote code execution in the presence of modern OS security features. Stresses the importance of secure programming. Explains the binary reverse engineering process.
Lesser Known Security Problems in PHP ApplicationsZendCon
When the security of PHP applications is in focus usually standard XSS vulnerabilities, SQL Injections, Remote File Inclusions, Header Injections and CSRF are discussed. However there are a number of different vulnerability classes and non obvious exploitation paths that are as dangerous but lesser known. This talk will give an insight in such vulnerabilities and how to defend against them.
Software Reliability models have been in existence since the early 1970, over 200 have been developed. Some of the older models have been discarded based upon more recent information about the assumptions, and newer ones have replaced them.
Static analysis as means of improving code quality Andrey Karpov
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
Cyber Security - What is a SQL Injection, Buffer Overflow & Wireless Network Attack. Types of SQL Injection, Buffer Overflow and Wireless Network Attack
A few slides on Robert Seacord's book, "Secure Coding in C/C++". While the McAfee template was used for the original presentation, the info from this presentation is public.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
PVS-Studio and static code analysis techniqueAndrey Karpov
What is «static code analysis»? It is a technique that allows, at the same time with unit-tests, dynamic code analysis, code review and others, to increase code quality, increase its reliability and decrease the development time.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Towards Malware Decompilation and ReassemblyMarcus Botacin
I present RevEngE, the Reverse Engineering Engine, a PoC for the debug-based decompilation approach. Presentation given at Reverse Engineering (ROOTS) confence in Vienna, Austria, 20219.
Automated Regression Testing for Embedded Systems in ActionAANDTech
This presentation shows a real world example of streamlining the software development for a medical device system, using continuous integration, Behavior Driven Development, and even robotics!
These ideas may be applied to any software project, regardless of budget or technologies.
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Software Reliability models have been in existence since the early 1970, over 200 have been developed. Some of the older models have been discarded based upon more recent information about the assumptions, and newer ones have replaced them.
Static analysis as means of improving code quality Andrey Karpov
The National Institute of Standards and Technology (NIST) reports that 64% of software vulnerabilities stem from programming errors and not a lack of security features.
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
Cyber Security - What is a SQL Injection, Buffer Overflow & Wireless Network Attack. Types of SQL Injection, Buffer Overflow and Wireless Network Attack
A few slides on Robert Seacord's book, "Secure Coding in C/C++". While the McAfee template was used for the original presentation, the info from this presentation is public.
Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing.
It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.
PVS-Studio and static code analysis techniqueAndrey Karpov
What is «static code analysis»? It is a technique that allows, at the same time with unit-tests, dynamic code analysis, code review and others, to increase code quality, increase its reliability and decrease the development time.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Towards Malware Decompilation and ReassemblyMarcus Botacin
I present RevEngE, the Reverse Engineering Engine, a PoC for the debug-based decompilation approach. Presentation given at Reverse Engineering (ROOTS) confence in Vienna, Austria, 20219.
Automated Regression Testing for Embedded Systems in ActionAANDTech
This presentation shows a real world example of streamlining the software development for a medical device system, using continuous integration, Behavior Driven Development, and even robotics!
These ideas may be applied to any software project, regardless of budget or technologies.
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
Unity3D is one of the most promising and rapidly developing game engines to date. Every now and then, the developers upload new libraries and components to the official repository, many of which weren't available in as open-source projects until recently. Unfortunately, the Unity3D developer team allowed the public to dissect only some of the components, libraries, and demos employed by the project, while keeping the bulk of its code closed. In this article, we will try to find bugs and typos in those components with the help of PVS-Studio static analyzer.
Using Analyzers to Resolve Security Problemskiansahafi
in this presentation i took a project and used an analyzer(e.g. SonarQube) to detect the security issues with it and reported a the result and after resolving most of those problems i used the same analyzer to get another report and in the process showed how to use such analyzers to detect security issues in the web applications
SAST, CWE, SEI CERT and other smart words from the information security worldAndrey Karpov
Do it right from the start (doesn’t work)
Follow company rules
Use “best practices”
Code Review
Couple development
Test-driven development (TDD)
Agile development
Tools
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
Keep tabs on your field staff effortlessly with Informap Technology Centre LLC. Real-time tracking, task assignment, and smart features for efficient management. Request a live demo today!
For more details, visit us : https://informapuae.com/field-staff-tracking/
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
In software engineering, the right architecture is essential for robust, scalable platforms. Wix has undergone a pivotal shift from event sourcing to a CRUD-based model for its microservices. This talk will chart the course of this pivotal journey.
Event sourcing, which records state changes as immutable events, provided robust auditing and "time travel" debugging for Wix Stores' microservices. Despite its benefits, the complexity it introduced in state management slowed development. Wix responded by adopting a simpler, unified CRUD model. This talk will explore the challenges of event sourcing and the advantages of Wix's new "CRUD on steroids" approach, which streamlines API integration and domain event management while preserving data integrity and system resilience.
Participants will gain valuable insights into Wix's strategies for ensuring atomicity in database updates and event production, as well as caching, materialization, and performance optimization techniques within a distributed system.
Join us to discover how Wix has mastered the art of balancing simplicity and extensibility, and learn how the re-adoption of the modest CRUD has turbocharged their development velocity, resilience, and scalability in a high-growth environment.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response (S&P'2016)
1. Talos: Neutralizing Vulnerabilities
with Security Workarounds for
Rapid Response
Zhen Huang, Mariana D’Angelo, Dhaval Miyani, David Lie
Department of Electrical and Computer Engineering
University of Toronto
2. Drawbacks of Patching
• Patching is the usual way to fix a vulnerability.
• There often exists a delay between the discovery of a
vulnerability and the release of its patch, a pre-patch
window.
2
Discover a vulnerability Apply the patchRelease the patch
pre-patch window
Attackers can exploit the
vulnerability!
3. Pre-patch Window
• Our study on 131 recent vulnerabilities shows that
the delay is significant.
– five popular Linux server applications
• 33.3% of them were patched 30 days after their
discovery. A recent study indicates similar result [1].
3
1. “A large scale exploratory analysis of software vulnerability life cycles”, ICSE 2012
52 days delay on average!
4. Cause of Pre-patch Window
• We study bug reports to understand the time spent on
each step of releasing a patch.
• The complexity of constructing a correct patch is the
major cause.
– We found bug reports for 21 of the 131 vulnerabilities: 89% of
time was spent in constructing the patch for those took more
than one day to patch.
– 9 of them took between two to six attempts to patch correctly.
4
vulnerability triage constructing a patch regression testingconstructing a patch
Multiple attempts of patching (Quotes from a bug report)
The developer: “This updates the previous patch...”
....
The developer: “This patch builds on the previous one...”
....
....
The tester: “I’m afraid I found a bug...”
5. Configuration Workarounds
• To address the pre-patch window, users often resort
to configuration workarounds.
– leverage existing configuration settings to neutralize
vulnerabilities
5
2. CVE-2014-0226. Workaround disclosed on mail-archives.apache.org.
status module [2]
apache HTTP server
malicious request
sensitive datarequest rejected
6. Weakness of Configuration
Workarounds
• However, configuration workarounds have poor
coverage.
• Our study on 182 vulnerabilities indicates that only
25.2% of them have configuration workarounds.
– four Linux server applications and two Windows client
applications (IE and Office)
6
The vast majority of vulnerabilities do not have
configuration workarounds!
7. Security Workarounds for Rapid
Response (SWRR)
• SWRRs address the drawbacks of patching and
configuration workarounds.
• Objectives of SWRR:
– security: neutralize vulnerabilities rapidly without
introducing new bugs or vulnerabilities
– coverage: cover many more vulnerabilities than
configuration workarounds
– low cost: apply to existing applications with minimum
engineering effort
7
8. Example of an SWRR
• An SWRR neutralizes a vulnerability by disabling the
execution of vulnerable code.
• The mechanism is simple but effective.
8
int foo(...) {
....
// vulnerable code
....
}
int foo(...) {
return error_code;
....
// vulnerable code
....
}
SWRR
9. SWRR Deployment
Developers can choose two deployment modes.
1. In-place SWRRs
– pre-installed into an application
– deactivated by default
– users can activate them on the fly
– can cause runtime overhead
2. Patch-based SWRRs
– issued after vulnerabilities are discovered
– users need to install them
– no runtime overhead
9
unprotected
protected by SWRR
vulnerable
10. SWRR Reduces Pre-patch Window
Full Patch
In-place SWRR
Patch-based SWRR
SWRR eliminates these steps!
• Different approaches to addressing a vulnerability
11. Challenges of SWRR
• How to disable code execution safely?
– Applications should continually run with minimum
loss of functionality.
– An SWRR should be unobtrusive, i.e. not causing
loss of major functionality.
• How to minimize human effort in generating SWRRs?
11
12. Error-Handling Mechanism
• The existing error-handling mechanism can be leveraged
to address the challenges.
12
• Readily available
• Designed for unexpected
situations
• Can be identified using static
code analysis
int http_request_parse(...) {
if (0 != request_check_hostname(...)) {
return 0; // error-handling
}
....
}
int request_check_hostname(...) {
if (invalid_hostname)
return -1; // error-handling
lighttpd web server
13. Leverage Existing Error Code
• The error code used by SWRR must be recognized by
the application.
13
unsigned char* base64_decode(...) {
return 0; // SWRR
// vulnerable code
....
}
int http_auth_basic_check(...) {
if (!base64_decode(...) ) {
return 0; // error-handling
}
….
lighttpd web server
14. Identify Existing Error Code
• Some approaches to identifying error code:
– Common libraries or API functions have
documentation, but most code in an application does
not.
– Asking developers to annotate error code for each
function is tedious and time-consuming.
• Instead we use heuristics to identify error code via
static analysis.
14
15. Using Heuristics
15
Error-logging heuristic
NULL return heuristic
List of functions that
return error code
Propagate error code via info on
call chains
Augmented list of functions that
return error code
16. Evaluation
• Our prototype, Talos, mechanically generates and
instruments SWRRs into an application.
• Security, coverage, and overhead of SWRRs are evaluated
using five popular Linux applications.
– web servers: apache and lighttpd
– web cache/proxy: squid
– ftp server: proftpd
– database management: sqlite
16
17. Security
• Do SWRRs successfully neutralize vulnerabilities?
• Are SWRRs unobtrusive, i.e. not causing loss of
major functionality?
• We analyze effectiveness and unobtrusiveness
of SWRR for 11 real-world vulnerabilities.
– All vulnerabilities are successfully neutralized by
SWRRs.
– 8 SWRRs are unobtrusive.
17
Detailed analysis of each vulnerability
and its SWRR is presented in our
paper.
18. Coverage
• What is the percentage of vulnerabilities that can be
neutralized with an unobtrusive SWRR?
• We estimate coverage on vulnerabilities with
coverage on application code and tested 320 SWRRs.
18
0.00%
20.00%
40.00%
60.00%
80.00%
SWRR Configuration
Workaround
Obtrusive
Unobtrusive
2.1x of configuration workarounds!
19. Overhead
• We measure the increased code size and runtime
overhead for in-place SWRRs.
• On average, Talos adds 2% of code and causes an
application to incur 1.3% of runtime overhead.
19
20. Conclusion
• SWRRs can neutralize 53% of potential vulnerabilities
unobtrusively, which is 2.1x of configuration
workarounds.
• SWRRs can be used just like configuration
workarounds with a small 1.3% runtime overhead.
• Talos mechanically generates and instruments
SWRRs into existing applications, requiring minimum
developer effort.
20
22. Error-logging Heuristic
• We note that error-handling code often logs
occurred errors.
• Look for a call to error logging function,
followed by a return of constant
22
if (name == NULL) {
// apache’s error logging function
ap_log_error(...., “Internal Error....”);
// indicate error to caller
return APR_EBADF;
apache web server
Developers annotate where they are declared
23. NULL Return Heuristic
• A function that returns a pointer usually
returns NULL to indicate an error.
23
Expr *sqlite3Expr(...) {
....
return sqlite3ExprAlloc(...);
}
static int multiSelectOrderBy(...) {
....
Expr *pNew = sqlite3Expr(...);
if (pNew==0) return SQLITE_NOMEM;
}
sqlite3 database server
24. Error Propagation Heuristic
• Many times the error code is propagated
up/down the call chain.
• There are three different error propagations:
– Direct error propagation
– Translated error propagation
– Inferred error propagation
24
25. Direct Error Propagation
• A caller directly use its callee’s return value as
its own return value.
25
int config_insert_values_global(...) {
....
return config_insert_values_internal(...);
}
int config_insert_values_internal(...) {
if (...) {
log_error_write(...);
return -1;
Callee returns -1 on error
Caller must return -1
on error
lighttpd web server
26. Translated Error Propagation
• An error code can be translated before it is
passed up the call chain.
26
SETDEFAULTS_FUNC (mod_secdownload_set_defaults) {
....
if (0 != config_insert_values_global(...)) {
return HANDLER_ERROR;
}
....
}
Callee returns -1 on
error
lighttpd web server
Caller must return
HANDLER_ERROR
on error
27. Inferred Error Propagation
• The error code can be inferred down the call
chain.
27
int http_request_parse (...) {
....
if (0 != request_check_hostname(...)) {
log_error_write(...);
return 0;
}
lighttpd web server
Callee must return
non-zero on error
Caller returns 0 on
error
28. Indirect Heuristic
• If a function does not have error-handling
code, we disable it by disabling all its all
callers.
28
foo()
does not handle
error
funcB()
handles error
funcA()
handles error
29. Talos
• Talos has two phases: analyzing source code
and instrumenting SWRRs.
29
Analyze
Source Code
Annotations
Add SWRRs to
Source CodeCall Graph
Control
Dependency
Source Code
with SWRRs
Source
Code
Editor's Notes
link to previous slide – we want to understand the cause, more explanations to quotes
quotes – link to attempts of correct patch
first try does not pass regression testing
important to return an error code, explain later on
we propose two SWRR deployment modes
to understand how SWRRs can reduce the pre-patch window, we compare SWRR with full patch. As we can see, releasing a full patch consists of the steps of finding the location of the vulnerability, figuring out the cause of the vulnerability, constructing a patch, ensuring no functionality is broken with regression testing. And the users needs to download and install the patch.
emphasize the skipping of three steps of full patch, talos icon
Readily available: almost every decent application has error-handling code
Designed for unexpected situations: safely allow an application to continually run after an error
Can be identified using static code analysis: needs minimum aid from developers
focus on the structure and purpose of the heuristics and how they fits together
clarify on why basic coverage is reduced to effective coverage