Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies. Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted.
This presentation is about research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass or denial of service. It will show some of the more nasty vulnerabilities found during the research including a novel attack against the built-in Java and .NET libraries which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature which is independent of their usage.
This contains all the slides used in Silicon Valley Code Camp presentation on Sunday Oct 4, 10:45 session on "Amazing new features in JavaScript". At the end ut also includes the last year presentation covering ES 5
Presentation I gave at a Rust Austin meetup in November 2018 about exploring different approaches for interpreting custom DSLs in Rust with varying speed characteristics and associated safety issues.
This contains all the slides used in Silicon Valley Code Camp presentation on Sunday Oct 4, 10:45 session on "Amazing new features in JavaScript". At the end ut also includes the last year presentation covering ES 5
Presentation I gave at a Rust Austin meetup in November 2018 about exploring different approaches for interpreting custom DSLs in Rust with varying speed characteristics and associated safety issues.
Explaining ES6: JavaScript History and What is to ComeCory Forsyth
An overview of some of the history of JavaScript, how it became ECMAScript (and what Ecma is), as well as highlights of the new features and syntax in ES6 aka ES2015.
Originally presented to the New York Public Library on June 4 2015.
A brief look at the new features coming in Javascript ES6:
- Scope and control
- Iterators and Generators
- Collections
- Typed objects
- Direct proxies
- Template strings
- API improvements
- Modularity
GECon 2017: C++ - a Monster that no one likes but that will outlast them allYauheni Akhotnikau
Slides from my presentation from GECon-2017 conference: https://events.epam.com/events/gecon-2017
It covers the following topics:
A bit of C++ evolution history.
Why C++ became popular and why C++ started to lose its popularity.
Why C++ is a Monster? If C ++ is a monster, then why does someone need C++?
How to use C++ safely and efficiently?
Where and when C++ can be used. If it can...
Pressure to C++ from competitors. Real and imaginary.
GECon2017_Cpp a monster that no one likes but that will outlast them all _Ya...GECon_Org Team
1. A bit of C++ evolution history.
2. Why C++ became popular and why C++ started to lose its popularity.
3. Why C++ is a Monster? If C ++ is a monster, then why does 4. someone need C++?
5. How to use C++ safely and efficiently?
6. Where and when C++ can be used. If it can...
7. Pressure to C++ from competitors. Real and imaginary.
Razvan Rotari shows an experiment to see how far you can go with binding in C++; Cristian Neamtu follows with an insight on how to achieve this in Rust using Serde.
Rainer Grimm, “Functional Programming in C++11”Platonov Sergey
C++ это мультипарадигменный язык, поэтому программист сам может выбирать и совмещать структурный, объектно-ориентированный, обобщенный и функциональный подходы. Функциональный аспект C++ особенно расширился стандартом C++11: лямбда-функции, variadic templates, std::function, std::bind. (язык доклада: английский).
write the TODO part of the program.docxannetnash8266
write the //TODO part of the program:
/***************************************************************************
* scramble.c
*
* Problem Set 3
*
* Implements Scramble with CS50.
*
* Usage: scramble [#]
*
* where # is an optional grid number.
***************************************************************************/
#include [removed]
#include [removed]
#include [removed]
#include [removed]
#include [removed]
#include [removed]
// duration of a game in seconds
#define DURATION 30
// grid's dimensions
#define DIMENSION 4
// maximum number of words in any dictionary
#define WORDS 172806
// maximum number of letters in any word
#define LETTERS 29
// default dictionary
// http://www.becomeawordgameexpert.com/wordlists.htm
#define DICTIONARY "words"
// for logging
FILE* log;
// grid
char grid[DIMENSION][DIMENSION];
// flags with which we can mark grid's letters while searching for words
bool marks[DIMENSION][DIMENSION];
// defines a word as having an array of letters plus a flag
// indicating whether word has been found on grid
typedef struct
{
bool found;
char letters[LETTERS + 1];
}
word;
// defines a dictionary as having a size and an array of words
struct
{
int size;
word words[WORDS];
}
dictionary;
// prototypes
void clear(void);
bool crawl(string letters, int x, int y);
void draw(void);
bool find(string s);
void initialize(void);
bool load(string s);
bool lookup(string s);
void scramble(void);
// This is Scramble.
int main(int argc, string argv[])
{
// ensure proper usage
if (argc > 2)
{
printf("Usage: %s [#]\n", basename(argv[0]));
return 1;
}
// seed pseudorandom number generator
if (argc == 2)
{
int seed = atoi(argv[1]);
if (seed <= 0)
{
printf("Invalid grid.\n");
return 1;
}
srand(seed);
}
else
srand(time(NULL));
// determine path to dictionary
string directory = dirname(argv[0]);
char path[strlen(directory) + 1 + strlen(DICTIONARY) + 1];
sprintf(path, "%s/%s", directory, DICTIONARY);
// load dictionary
if (!load(path))
{
printf("Could not open dictionary.\n");
return 1;
}
// initialize the grid
initialize();
// initialize user's score
int score = 0;
// calculate time of game's end
int end = time(NULL) + DURATION;
// open log
log = fopen("log.txt", "w");
if (log == NULL)
{
printf("Could not open log.\n");
return 1;
}
// accept words until timer expires
while (true)
{
// clear the screen
clear();
// draw the current state of the grid
draw();
// log board
for (int row = 0; row < DIMENSION; row++)
{
for (int col = 0; col [removed]= end)
.
Explaining ES6: JavaScript History and What is to ComeCory Forsyth
An overview of some of the history of JavaScript, how it became ECMAScript (and what Ecma is), as well as highlights of the new features and syntax in ES6 aka ES2015.
Originally presented to the New York Public Library on June 4 2015.
A brief look at the new features coming in Javascript ES6:
- Scope and control
- Iterators and Generators
- Collections
- Typed objects
- Direct proxies
- Template strings
- API improvements
- Modularity
GECon 2017: C++ - a Monster that no one likes but that will outlast them allYauheni Akhotnikau
Slides from my presentation from GECon-2017 conference: https://events.epam.com/events/gecon-2017
It covers the following topics:
A bit of C++ evolution history.
Why C++ became popular and why C++ started to lose its popularity.
Why C++ is a Monster? If C ++ is a monster, then why does someone need C++?
How to use C++ safely and efficiently?
Where and when C++ can be used. If it can...
Pressure to C++ from competitors. Real and imaginary.
GECon2017_Cpp a monster that no one likes but that will outlast them all _Ya...GECon_Org Team
1. A bit of C++ evolution history.
2. Why C++ became popular and why C++ started to lose its popularity.
3. Why C++ is a Monster? If C ++ is a monster, then why does 4. someone need C++?
5. How to use C++ safely and efficiently?
6. Where and when C++ can be used. If it can...
7. Pressure to C++ from competitors. Real and imaginary.
Razvan Rotari shows an experiment to see how far you can go with binding in C++; Cristian Neamtu follows with an insight on how to achieve this in Rust using Serde.
Rainer Grimm, “Functional Programming in C++11”Platonov Sergey
C++ это мультипарадигменный язык, поэтому программист сам может выбирать и совмещать структурный, объектно-ориентированный, обобщенный и функциональный подходы. Функциональный аспект C++ особенно расширился стандартом C++11: лямбда-функции, variadic templates, std::function, std::bind. (язык доклада: английский).
write the TODO part of the program.docxannetnash8266
write the //TODO part of the program:
/***************************************************************************
* scramble.c
*
* Problem Set 3
*
* Implements Scramble with CS50.
*
* Usage: scramble [#]
*
* where # is an optional grid number.
***************************************************************************/
#include [removed]
#include [removed]
#include [removed]
#include [removed]
#include [removed]
#include [removed]
// duration of a game in seconds
#define DURATION 30
// grid's dimensions
#define DIMENSION 4
// maximum number of words in any dictionary
#define WORDS 172806
// maximum number of letters in any word
#define LETTERS 29
// default dictionary
// http://www.becomeawordgameexpert.com/wordlists.htm
#define DICTIONARY "words"
// for logging
FILE* log;
// grid
char grid[DIMENSION][DIMENSION];
// flags with which we can mark grid's letters while searching for words
bool marks[DIMENSION][DIMENSION];
// defines a word as having an array of letters plus a flag
// indicating whether word has been found on grid
typedef struct
{
bool found;
char letters[LETTERS + 1];
}
word;
// defines a dictionary as having a size and an array of words
struct
{
int size;
word words[WORDS];
}
dictionary;
// prototypes
void clear(void);
bool crawl(string letters, int x, int y);
void draw(void);
bool find(string s);
void initialize(void);
bool load(string s);
bool lookup(string s);
void scramble(void);
// This is Scramble.
int main(int argc, string argv[])
{
// ensure proper usage
if (argc > 2)
{
printf("Usage: %s [#]\n", basename(argv[0]));
return 1;
}
// seed pseudorandom number generator
if (argc == 2)
{
int seed = atoi(argv[1]);
if (seed <= 0)
{
printf("Invalid grid.\n");
return 1;
}
srand(seed);
}
else
srand(time(NULL));
// determine path to dictionary
string directory = dirname(argv[0]);
char path[strlen(directory) + 1 + strlen(DICTIONARY) + 1];
sprintf(path, "%s/%s", directory, DICTIONARY);
// load dictionary
if (!load(path))
{
printf("Could not open dictionary.\n");
return 1;
}
// initialize the grid
initialize();
// initialize user's score
int score = 0;
// calculate time of game's end
int end = time(NULL) + DURATION;
// open log
log = fopen("log.txt", "w");
if (log == NULL)
{
printf("Could not open log.\n");
return 1;
}
// accept words until timer expires
while (true)
{
// clear the screen
clear();
// draw the current state of the grid
draw();
// log board
for (int row = 0; row < DIMENSION; row++)
{
for (int col = 0; col [removed]= end)
.
In the early days of computer science coding was viewed as an art. In the modern world of software engineering we may have lost the art to make way for rules and best practices. The International Obfuscated C Code Contest offers a chance for the coder to think beyond the rules of software engineering and unleash their creative side. We'll explore some of the more interesting entries in the past, take a closer look at some exotic C syntax, and finish up by exploring Bruce Holloway's 1986 entry.
From the Un-Distinguished Lecture Series (http://ws.cs.ubc.ca/~udls/). The talk was given Feb. 2, 2007
C++ and OOPS Crash Course by ACM DBIT | Grejo JobyGrejoJoby1
The slides from the C++ and OOPS Crash Course conducted for ACM DBIT by Grejo Joby.
Learn the concepts of OOPS and C++ Programming in the shortest time with these notes.
The purpose of this C++ programming project is to allow the student .pdfRahul04August
The purpose of this C++ programming project is to allow the student to perform parallel array
and multidimensional array processing. The logic for string and Cstring has already been
completed, so the assignment can be started before we actually cover string and Cstring in detail.
This program has the following three menu options:
Solution
/*
This program uses simple arrays, multidimensional arrays, cstrings, strings, and files.
It allows a payroll clerk to choose an option from a menu. The choices are:
A: List the Payroll Information by Employee Name
B: Search Payroll Information by Employee Name
X: Exit the Payroll Information Module
The following items for each employee are saved in the file p10.txt:
Employee ID (1000 - 9999)
Last Name (15 characters)
First Name (15 characters)
Rate (5.00 - 10.00)
Hours W1,W2,W3,W4 (0-60)
*/
#include // file processing
#include // cin and cout
#include // toupper
#include // setw
#include // cstring functions strlen, strcmp, strcpy stored in string.h
#include // string class
#define stricmp strcasecmp
#define strnicmp strncasecmp
using namespace std;
//Disable warning messages C4267 C4996.
//To see the warnings, comment out the following line.
//#pragma warning( disable : 4267 4996)
//Warning C4267: coversion from size_t to int, possible lost of data
//size_t is a data type defined in and is an unsigned integer.
//The function strlen returns a value of the type size_t, but in
//searchByName we assign the returned value to an int.
//We could also declare the variable as size_t instead of int.
// size_t stringLength;
//Warning C4996: strnicmp strcpy, stricmp was declared deprecated, means
//the compiler encountered a function that was marked with deprecated.
//The deprecated function may no longer be supported in a future release.
//Global Constants
//When using to declare arrays, must be defined with const modifier
const int ARRAY_SIZE = 20, HOURS_SIZE = 4, NAME_SIZE = 16;
//Declare arrays as global so we don\'t have to pass the arrays to each function.
//Normally we wouldn\'t declare variables that change values a global.
int employeeId[ARRAY_SIZE];
string firstName[ARRAY_SIZE];
char lastName[ARRAY_SIZE][NAME_SIZE];
double rate[ARRAY_SIZE];
int hours[ARRAY_SIZE][HOURS_SIZE];
int numberOfEmps; //count of how many employees were loaded into arrays
int sumHours[ARRAY_SIZE] = {0}; //initialize arrays to zero by providing a
double avgHours[ARRAY_SIZE] = {0}; //value for the first element in the array
//Function Prototypes
void loadArray( );
void sumAndComputeAvgHours( );
void listByName( );
void searchByName( );
void sortByName( );
void swapValues(int i, int minIndex);
void listEmployees( );
void listEmployeesHeadings( );
void listEmployeesDetails(int i);
void listEmployeesTotals( );
void displayContinuePrompt( );
//Program starts here
int main()
{
//Declare and initialize local main variables
char choice; //menu option
//Load the arrays with data
loadArray();
//Sum and compute the average hours
sumAndComputeAv.
This is the Java code i have for a Battleship project i am working o.pdfcalderoncasto9163
This is the Java code i have for a Battleship project i am working on, i am now wanting to
convert this to a fully graphical Gui interface, but i just cant seem to get anywhere with it, so if i
could get some help with this, i would apperciate it....(just a reminder its in JAVA)
public class BattleshipGame {
private Ocean ocean;
private boolean[][] availableSpot;
private Scanner sc;
public BattleshipGame() {
// define a new ocean and a new 2D array to store available coordinates
ocean = new Ocean();
availableSpot = new boolean[10][10];
for (int i = 0; i < 10; i++) {
for (int j = 0; j < 10; j++){
availableSpot[i][j] = true;
}
}
}
/**
* prints the game menu and info
* //param select
*/
public void print(int select){
String info;
switch (select) {
case 1: info = \"Welcome to the World of Battleship!\";
break;
case 2: info = \"Enter coordinates to fire: \";
break;
case 3: info = \"Shots fired: \"+ocean.getShotsFired()+\", Ships sunk:
\"+ocean.getShipsSunk();
break;
case 4: info = \"Congratulations! You win!\";
break;
case 99: info = \"Invalid input. Please re-enter:\";
break;
case 100: info = \"--------------------------------------------\";
break;
case 101: info = \"\ ============================================\";
break;
default: info = \"Error selection\";
break;
}
System.out.println(info);
}
/**
* check if the input is valid
* //param input
* //return boolean
*/
public boolean checkValidInput(String input){
ArrayList numList = new ArrayList();
for (int i=0;i<10;i++){
numList.add(\"\"+i);
}
String[] coordinates = input.split(\" \");
//returns false if there are not 2 strings
if (coordinates.length!=2){
return false;
}
//returns false if any of the strings is not a single digit number
for (String str: coordinates){
if (numList.contains(str)==false){
return false;
}
}
//returns false if the coordinates have already been shot at
int row = Integer.parseInt(coordinates[0]);
int column = Integer.parseInt(coordinates[1]);
if (this.availableSpot[row][column]==false){
return false;
}
return true;
}
/**
* get the coordinates to shoot at from the String input
* //param input
* //return int[] coordinates
*/
public int[] getCoordinates(String input){
int[] coordinates = new int[2];
String[] strList = input.split(\" \");
int row = Integer.parseInt(strList[0]);
int column = Integer.parseInt(strList[1]);
coordinates[0] = row;
coordinates[1] = column;
return coordinates;
}
/**
* play the battleship game
*/
public void play(){
print(101);
print(1);
ocean.placeAllShipsRandomly();
boolean isGameOver = ocean.isGameOver();
sc = new Scanner(System.in);
//print the ocean and start the game
ocean.print();
print(3);
while (!isGameOver){
print(2);
String input = sc.nextLine();
//check if input is valid
while (!checkValidInput(input)){
print(99);
input = sc.nextLine();
}
//get coordinates and fire
int[] coordinates = getCoordinates(input);
int row = coordinates[0];
int column = coordinates[1];
ocean.shootAt(row, column);
availableSpot[row][column] = false;
isGameOver = o.
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers.
Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it.
Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand.
The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced:
Lattice-based systems:
The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way.
Code-based systems:
McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals.
Non-commutative systems:
There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on.
Multivariate systems:
Multivariate crypto can be explained to somebody who knows Gaussian elimination.
Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme.
I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items.
In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
Data Center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources.
In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities.
To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models.
The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which they are attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection.
Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls, resulting in measurably better security for the data center compared to traditional software-only based controls.
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
Unexpected consequences (why did it decide this rifle is a banana?)
Data leakage (how did they know Joe has diabetes)
Memory corruption and other exploitation techniques (boom! RCE)
Influence the output
In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!
Garbage In, RCE Out :)
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
In March 2018, the UK launched its Secure by Design report in order to help defend against security threats, especially for consumer Internet of Things products and services. Over the past few years, poorly secured IoT devices have been hijacked in both targeted as well as large-scale DDoS attacks such as Mirai. In addition to this, poor security can threaten both privacy and safety.
The speaker, David Rogers authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues with extensive support from the security research community. David will discuss the guidelines within the Code of Practice, why these were prioritised and why the top three became dealing with the password problem, implementing vulnerability disclosure and acting on it and addressing software updates. David will also look at what’s next: what will the challenges be and will the Code of Practice succeed in its aims? How can IoT products possibly be certified and how will the threat landscape change in response to improving security?
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’.
Key theme:
This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security.
In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.
Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back.
That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs.
At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project.
This puppy is so over-specced it would drive you to tears.
The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing.
Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills.
We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun.
This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
44CON 2013 - The Forger's Art: Exploiting XML Digital Signature Implementations - James Forshaw
1. The Forger’s Art
Exploiting XML Digital Signature Implementations
44con 2013
James Forshaw (@tiraniddo)
Research. Response. Assurance.
@CTXIS
2. What am I going to talk
about?
• XML Digital Signature Implementations
• Vulnerabilities and how to exploit
– Memory Corruption
– Denial of Service
– Parsing Issues
– Signature Spoofing
• Demos
3. Why?
•
•
•
•
•
SOAP Web Service Security
Visa 3D Secure / Verified by Visa
SAML Assertions
MS Office Signatures
.NET ClickOnce/XBAP Manifests
23. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
24. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
25. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
26. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
27. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
28. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
29. CVE-2013-2156
bool isWhiteSpace(char c) {
return c == ' ' || c == '0' || c == 't'
|| c == 'r' || c == 'n';
}
void XSECC14n20010315::setExclusive(char * xmlnsList) {
char* nsBuf = new char [strlen(xmlnsList) + 1];
int i = 0, j = 0;
while (xmlnsList[i] != '0') {
while (isWhiteSpace(xmlnsList[i]))
++i; // Skip white space
j = 0;
while (!isWhiteSpace(xmlnsList[i]))
nsBuf[j++] = xmlnsList[i++]; // Copy name
// Terminate the string
nsBuf[j] = '0';
// Add to exclusive list
m_exclNSList.push_back(strdup(nsBuf));
}
}
38. CVE-2013-2154
• Affected Apache Santuario C++
• Unauthenticated
• Stack overflow parsing a Reference
URI
• Bonus: Fix was wrong, ended up with a
heap overflow instead
39. Reference URIs
<good id="xyz">
</good>
Reference Type
Example
ID Reference
<Reference URI="#xyz">
Entire Document
<Reference URI="">
XPointer ID
<Reference URI="#xpointer(id('xyz'))">
XPointer Entire Document
<Reference URI="#xpointer(/)">
External
<Reference URI="http://domain.com/file.xml">
40. CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))
if (strncmp(URI, "#xpointer(id('", 14)
{
size_t len = strlen(&URI[14]);
char tmp[512];
if (len > 511)
len = 511;
size_t j = 14, i = 0;
// Extract ID value
while (URI[j] != ''') {
tmp[i++] = URI[j++];
}
tmp[i] = '0';
}
== 0)
41. CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))
if (strncmp(URI, "#xpointer(id('", 14)
{
size_t len = strlen(&URI[14]);
char tmp[512];
if (len > 511)
len = 511;
size_t j = 14, i = 0;
// Extract ID value
while (URI[j] != ''') {
tmp[i++] = URI[j++];
}
tmp[i] = '0';
}
== 0)
42. CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))
if (strncmp(URI, "#xpointer(id('", 14)
{
size_t len = strlen(&URI[14]);
char tmp[512];
if (len > 511)
len = 511;
size_t j = 14, i = 0;
// Extract ID value
while (URI[j] != ''') {
tmp[i++] = URI[j++];
}
tmp[i] = '0';
}
== 0)
43. CVE-2013-2154
const char* URI = getReferenceUri();
// Check for #xpointer(id('A'))
if (strncmp(URI, "#xpointer(id('", 14)
{
size_t len = strlen(&URI[14]);
char tmp[512];
if (len > 511)
len = 511;
size_t j = 14, i = 0;
// Extract ID value
while (URI[j] != ''') {
tmp[i++] = URI[j++];
}
tmp[i] = '0';
}
== 0)
50. Mono C14N Vulnerability
• Affected Mono (unfixed)
• Also affected XMLSEC1 (fixed)
• Allows limited signed content
modification
• Same author for both implementations
52. The Bug
<good x='"'/>
<good xmlns='"'/>
<good x="""></good>
<good xmlns="""></good>
LibXML2 Requires Valid URLs for
Namespaces, though Mono doesn't
Still, xmlns='http://["]/' works on XMLSEC1
56. CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references
bool referenceCheckResult = mp_signedInfo->verify();
// Check the signature
bool sigVfyResult = verifySignatureOnlyInternal();
return sigVfyResult & referenceCheckResult;
}
57. CVE-2013-2153
bool DSIGSignature::verify(void) {
// First thing to do is check the references
// bool referenceCheckResult = mp_signedInfo->verify();
-----------------------------------------//
Verify each reference element
// Check the signature
// -----------------------------------------bool sigVfyResult = verifySignatureOnlyInternal();
}
bool DSIGSignedInfo::verify() {
return sigVfyResult & referenceCheckResult;
return DSIGReference::verifyReferenceList(mp_referenceList);
}
58. CVE-2013-2153
bool DSIGSignature::verify(void) {
}
// First thing to do is check the references
// bool referenceCheckResult = mp_signedInfo->verify();
-----------------------------------------bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) {
//
Verify each reference element
// Run through a list of hashes and checkHash for each one
// Check the signature
// -----------------------------------------bool res = true;
bool sigVfyResult = verifySignatureOnlyInternal();
int size = lst->getSize();
bool DSIGSignedInfo::verify() { ++i) {
for (int i = 0; i < size;
return sigVfyResult & referenceCheckResult;
return DSIGReference::verifyReferenceList(mp_referenceList);
if (lst->item(i)->checkHash()) {
}
res = false;
}
}
return res;
}
59. CVE-2013-2153
bool DSIGSignature::verify(void) {
}
// First thing to do is check the references
// bool referenceCheckResult = mp_signedInfo->verify();
-----------------------------------------bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) {
//
Verify each reference element
// Run through a list of hashes and checkHash for each one
// Check the signature
// -----------------------------------------bool res = true;
bool sigVfyResult = verifySignatureOnlyInternal();
int size = lst->getSize();
bool DSIGSignedInfo::verify() { ++i) {
for (int i = 0; i < size;
return sigVfyResult & referenceCheckResult;
return DSIGReference::verifyReferenceList(mp_referenceList);
if (lst->item(i)->checkHash()) {
}
res = false;
}
}
return res;
}
60. CVE-2013-2153
bool DSIGSignature::verify(void) {
}
// First thing to do is check the references
// bool referenceCheckResult = mp_signedInfo->verify();
-----------------------------------------bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) {
//
Verify each reference element
// Run through a list of hashes and checkHash for each one
// Check the signature
// -----------------------------------------bool res = true;
bool sigVfyResult = verifySignatureOnlyInternal();
int size = lst->getSize();
bool DSIGSignedInfo::verify() { ++i) {
for (int i = 0; i < size;
return sigVfyResult & referenceCheckResult;
return DSIGReference::verifyReferenceList(mp_referenceList);
if (lst->item(i)->checkHash()) {
}
res = false;
}
}
return res;
}
61. CVE-2013-2153
bool DSIGSignature::verify(void) {
}
// First thing to do is check the references
// bool referenceCheckResult = mp_signedInfo->verify();
-----------------------------------------bool DSIGReference::verifyReferenceList(DSIGReferenceList * lst) {
//
Verify each reference element
// Run through a list of hashes and checkHash for each one
// Check the signature
// -----------------------------------------bool res = true;
bool sigVfyResult = verifySignatureOnlyInternal();
int size = lst->getSize();
bool DSIGSignedInfo::verify() { ++i) {
for (int i = 0; i < size;
return sigVfyResult & referenceCheckResult;
return DSIGReference::verifyReferenceList(mp_referenceList);
if (lst->item(i)->checkHash()) {
}
res = false;
}
}
return true;
}
62. CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild();
// Load rest of SignedInfo
...
// Now look at references....
child = child->getNextSibling();
// Run through the rest of the elements until done
while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments
child = child->getNextSibling();
if (child != NULL)
// Have an element node - should be a reference, so let's load the list
mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
63. CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild();
// Load rest of SignedInfo
...
// Now look at references....
child = child->getNextSibling();
// Run through the rest of the elements until done
while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments
child = child->getNextSibling();
if (child != NULL)
// Have an element node - should be a reference, so let's load the list
mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
64. CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild();
// Load rest of SignedInfo
...
// Now look at references....
child = child->getNextSibling();
// Run through the rest of the elements until done
while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments
child = child->getNextSibling();
if (child != NULL)
// Have an element node - should be a reference, so let's load the list
mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
65. CVE-2013-2153
void DSIGSignedInfo::load(void) {
DOMNode * child = mp_signedInfoNode->getFirstChild();
// Load rest of SignedInfo
...
// Now look at references....
child = child->getNextSibling();
// Run through the rest of the elements until done
while (child != 0 && (child->getNodeType() != DOMNode::ELEMENT_NODE))
// Skip text and comments
child = child->getNextSibling();
if (child != NULL)
// Have an element node - should be a reference, so let's load the list
mp_referenceList = DSIGReference::loadReferenceListFromXML(mp_env, child);
}
80. CVE-2013-2155
• Affected Apache C++ (again)
• Circumvented "fix" for HMAC
Truncation (CVE-2009-0217)
• By sheer ineptitude it ended up an DoS
rather than a Signature Bypass
84. CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)
child = child->getNextSibling();
if (child) {
// Have a max output value!
DOMNode *textNode = child->getFirstChild();
if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue());
}
}
85. CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)
child = child->getNextSibling();
if (child) {
// Have a max output value!
DOMNode *textNode = child->getFirstChild();
if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue());
}
}
86. CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)
child = child->getNextSibling();
if (child) {
// Have a max output value!
DOMNode *textNode = child->getFirstChild();
if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue());
}
}
87. CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)
child = child->getNextSibling();
if (child) {
// Have a max output value!
DOMNode *textNode = child->getFirstChild();
if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue());
}
}
So m_HMACOutputLength is an int?
88. CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)
child = child->getNextSibling();
if (child) {
// First find the appropriate handler for the URI
// Have a max output value!
XSECAlgorithmHandler* handler =
DOMNode *textNode = tmpSOV->getFirstChild();
mapURIToHandler(mp_signedInfo->getAlgorithmURI());
if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue());
bool sigVfyRet = handler->verifyBase64Signature(
}
m_signatureValueSB.rawCharBuffer(),
}
mp_signedInfo->getHMACOutputLength(),
mp_signingKey);
89. CVE-2013-2155
while (child && strcmp(getDSIGLocalName(child, "HMACOutputLength") != 0)
child = child->getNextSibling();
if (child) {
// First find the appropriate handler for the URI
// Have a max output value!
XSECAlgorithmHandler* handler =
DOMNode *textNode = tmpSOV->getFirstChild();
mapURIToHandler(mp_signedInfo->getAlgorithmURI());
if (textNode) {
m_HMACOutputLength = atoi(textNode->getNodeValue());
bool sigVfyRet = handler->verifyBase64Signature(
}
m_signatureValueSB.rawCharBuffer(),
}
mp_signedInfo->getHMACOutputLength(),
mp_signingKey);
114. Extensible?
http://www.w3.org/TR/xmldsig-core/#sec-AlgID
"This specification defines a set of algorithms, their URIs,
and requirements for implementation. Requirements
are specified over implementation, not over
requirements for signature use. Furthermore, the
mechanism is extensible; alternative algorithms may
be used by signature applications."
115. Creating .NET Canonicalizer
class SignedInfo
{
public string CanonicalizationMethod { get; }
public Transform CanonicalizationMethodObject
{
get
{
return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);
}
}
}
116. Creating .NET Canonicalizer
class SignedInfo
{
public string CanonicalizationMethod { get; }
public Transform CanonicalizationMethodObject
{
get
{
return (Transform)CryptoConfig.CreateFromName(this.CanonicalizationMethod);
}
}
}
127. And the Rest
• Cross Implementation DoS (can't show
at this time).
– Also allows you to steal files
• Invalid Parsing of Signatures
– Blended Threat between parsers
• Other DoS stuff in .NET and WCF
• Many Lucky "bugs" in Mono
128. Final Score Sheet
Implementation Parsing
Issues
Memory
Corruption
Signature
Spoofing
Denial of
Service
File Stealing
Apache C++
Yes
Yes
Yes
Yes
Yes,
hilariously!
Apache Java/JRE
Yes
No
Yes
Yes
Sort of,
limited use
XMLSEC1
No
No
Yes
Yes if
libxml2 isn't
fixed
No
.NET
No
No
Yes
Yes
Yes
Mono
Lucky
Escape
No
Yes, should
have been
worse
Yes
I gave up
even trying
130. Conclusions
• Don't Blindly Trust Your Implementation
• Double Check All References are as
expected
• Double Check All Algorithms are as
expected
• Probably stay away from Apache C++
and Mono