The document discusses defining what constitutes an "exploit" in computer security. It begins by noting that while exploits are a central concept, there is no agreed upon definition. It then examines two potential implementations of a simple intended finite state machine (IFSM) for storing passwords and secrets - a flat array implementation and a linked list implementation. It demonstrates how an attacker could exploit the linked list implementation under a chosen-bitflip-once attacker model by corrupting a single bit of memory to rearrange the linked list and retrieve a secret without knowing the correct password. The document aims to introduce a theoretical framework for reasoning about exploits and differentiating between provably exploitable and unexploitable code.
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzerGangSeok Lee
2012 CodeEngn Conference 06
퍼징 기술의 입문자, 중급자에 초점을 맞추었고 퍼징 기술에 대한 백그라운드 설명부터 시작하여 최근의 퍼징 기술에는 어떠한 것들이 있는지 살펴보고 퍼징 기술이 버그 찾기에 어떻게 쓰일 수 있는지 부터 시작하여 효율적인 퍼징 테크닉은 어떤것들이 있는지 설명한다. 또한, 각 퍼징 기법들의 한계점과 단점에 대해서 지적하며 왜 자신만의 퍼징 노하우와 방법이 필요한지 설명하면서 퍼징 기술의 복잡성과 다양성, 해커들은 어떤 기법을 선호하는지 소개한다. 발표자가 사용하고 있는 기법이나 노하우에 대해서도 공유 할 예정이다.
http://codeengn.com/conference/06
Dean Wells, Microsoft
Witness a whipper-snapper of an admin conduct a series of progressively more sneaky attacks against unsuspecting & ill-prepared virtualized workloads. Little did the whipper-snapper know, this was a guarded Hyper-V host--and guarded hosts come pre-loaded with anti-whipper-snapper technology. Stated another way: watch as Hyper-V defends itself against a series of fabric-level attacks by leveraging Windows Server 2016's remote attestation, key protection/release, hypervisor-enforced code integrity and shielded virtual machine technologies.
Jonathan Birch, Microsoft
Serialization is a powerful tool in .Net, but if used incorrectly it can create vulnerabilities, including remote code execution. In this talk, I explain how .Net deserialization vulnerabilities occur, and why they can only be prevented by application developers. I explain four common forms of this vulnerability in detail, two using only .Net libraries and two using common vulnerable 3rd party libraries. For each of these I explain multiple ways to modify the vulnerable code to make it safe. I then use these as a basis to provide general guidelines for securing deserialization. Finally, I discuss methods for detecting .Net deserialization vulnerabilities both through static and dynamic analysis, along with coding best practices to prevent these vulnerabilities from being introduced into a product. A handout will be provided listing potentially vulnerable API’s and how to use them safely, along with useful notes on detecting this vulnerability.
[2012 CodeEngn Conference 06] beist - Everyone has his or her own fuzzerGangSeok Lee
2012 CodeEngn Conference 06
퍼징 기술의 입문자, 중급자에 초점을 맞추었고 퍼징 기술에 대한 백그라운드 설명부터 시작하여 최근의 퍼징 기술에는 어떠한 것들이 있는지 살펴보고 퍼징 기술이 버그 찾기에 어떻게 쓰일 수 있는지 부터 시작하여 효율적인 퍼징 테크닉은 어떤것들이 있는지 설명한다. 또한, 각 퍼징 기법들의 한계점과 단점에 대해서 지적하며 왜 자신만의 퍼징 노하우와 방법이 필요한지 설명하면서 퍼징 기술의 복잡성과 다양성, 해커들은 어떤 기법을 선호하는지 소개한다. 발표자가 사용하고 있는 기법이나 노하우에 대해서도 공유 할 예정이다.
http://codeengn.com/conference/06
Dean Wells, Microsoft
Witness a whipper-snapper of an admin conduct a series of progressively more sneaky attacks against unsuspecting & ill-prepared virtualized workloads. Little did the whipper-snapper know, this was a guarded Hyper-V host--and guarded hosts come pre-loaded with anti-whipper-snapper technology. Stated another way: watch as Hyper-V defends itself against a series of fabric-level attacks by leveraging Windows Server 2016's remote attestation, key protection/release, hypervisor-enforced code integrity and shielded virtual machine technologies.
Jonathan Birch, Microsoft
Serialization is a powerful tool in .Net, but if used incorrectly it can create vulnerabilities, including remote code execution. In this talk, I explain how .Net deserialization vulnerabilities occur, and why they can only be prevented by application developers. I explain four common forms of this vulnerability in detail, two using only .Net libraries and two using common vulnerable 3rd party libraries. For each of these I explain multiple ways to modify the vulnerable code to make it safe. I then use these as a basis to provide general guidelines for securing deserialization. Finally, I discuss methods for detecting .Net deserialization vulnerabilities both through static and dynamic analysis, along with coding best practices to prevent these vulnerabilities from being introduced into a product. A handout will be provided listing potentially vulnerable API’s and how to use them safely, along with useful notes on detecting this vulnerability.
CheckPlease is the go-to repository for the newest targeted payload and sandbox-detection modules. This repository is for defenders to harden their sandboxes and AV tools, malware researchers to discover new techniques, and red teamers to get serious about their payloads.
Presented at Steelcon 2017
This presentation is a fun introduction to the tools used by script kiddies, namely the Remote Admin Tools (or Remote Access Trojans). These GUI based hacking tools include a lot of funny and scary features.
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
CheckPlease is the go-to repository for the newest targeted payload and sandbox-detection modules. This repository is for defenders to harden their sandboxes and AV tools, malware researchers to discover new techniques, and red teamers to get serious about their payloads.
Presented at Steelcon 2017
This presentation is a fun introduction to the tools used by script kiddies, namely the Remote Admin Tools (or Remote Access Trojans). These GUI based hacking tools include a lot of funny and scary features.
Deploying a Shadow Threat Intel Capability at Thotcon on May 6, 2016grecsl
In the presentation that threat intel vendors do not want you to see, open source and internal data meets home grown resources to produce actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses and shows examples of using what your already have to bootstrap this capability using existing data management platforms with open and flexible schemas to ease identification of advanced threats. Specific topics covered include the advantages of using open and flexible platforms that can be molded into a data repository, a case tracking system, an indicator database, and more. By analyzing this data organizations can discovery trends across attacks that help them understand their adversaries. An example nosql schema will be release to help attendees create their own implementations.
Breadcrumbs to Loaves: How tidbits of Information Lead Us to Full-Scale Compromise. Presented at BSides Austin 2017. Follow on Twitter: @arvanaghi
Often on red teams, there is no obvious path to compromising the environment. Reconnaissance efforts, both external and internal, may yield only crumbs of information. Though tiny and often in obscure locations, these bits of information can serve as a trail of breadcrumbs to full-scale compromise. Specific keys in the Windows Registry and unusual sources of open-source intelligence gathering can provide valuable information about a network mapping that most companies don’t know exist. We walk you step-by-step through what some of these crumbs are, how to find them, and how we have used tiny bits of information to escalate our privileges to full-scale enterprise compromise.
Ever Present Persistence - Established Footholds Seen in the WildCTruncer
This talk is about different attacker persistence techniques that we have seen in the wild, or published by other companies. We wanted to create a massive document containing all of these techniques with a mile wide, inch deep approach. Our goal is to give a description of how each technique works and a way to detect them to allow anyone to start looking for these specific techniques.
#GetsmART: Lessons from the Artists BLC15 MinikeynoteAmy Burvall
Note that this is the abridged version (15 minutes) presented at BLC15; I have an hour version with almost 100 more hand-drawn slides.
While everyone is both a work of art and an artist, not
everyone thinks like one. What can the ways in which
famous artists lived their lives,as well as their creative processes, teach us? In this 15 minute keynote presented at Alan November's Building Learning Communities 2015, Amy
Burvall shares poignant takeaways from the lives of
Da Vinci and Michelangelo, the Impressionists, Toulouse-
Lautrec, Picasso, and Warhol.
Through anecdotes, quotes, and metaphorical imagery,
these apologues serve as digestible life lessons educators and leaders can embrace in their own
intellectual and creative lives and share with students.
Who are the pharma social media butterflies?Ogilvy Health
Who is doing the most proactive social media engagement within the pharmaceutical industry? Should pharma really compare itself to other sectors when it comes to social media? Is pharma’s use of social media evolving in the right direction? What are the defining characteristics of those pharma companies who are engaging more?
These are just some of the questions we keep hearing when it comes to pharma and social media. So we thought a bit of analysis of the industry would be interesting to see who was driving the party and who was standing back to watch and learn – the social butterflies and wallflowers.
Better Life Insurance Risk Assessment by Leveraging Medical InnovationsCognizant
Insurance companies must adopt medical technology innovations such as evidence-based underwriting, wearable fitness devices, bio-monitors and gene tests to elevate insurance underwriting efficiency and accuracy
What's your choice for 2014 Word of the Year (WOTY)?
Our collection of Buzzword Bingo spotlights colorful slang and new words chosen to educate and inspire. Down with the tedious weasel words and up with new lingo!
http://planeta.wikispaces.com/buzzwordbingo
Keen on learning new lingo?
Web: Barn Raising, Emoji, Endorsement, Flipboard, Hack, Influence, Kickstand, Mute, Net Neutrality, Second Screen, Show Notes, Slideshare, Uber, Unselfie, Upvote, Virtual Tour
World: Atalatl, Ciclovía, Drop Bear, Ebola, Holá, Laniakea, NAIDOC, Sumak Kawsay, Te Kupu
New school: Appointment Radio, Artificial Photosynthesis, Artisinal Outhouse, Canned Hunting, Counter Narrative, Curiosity Gap, False Conflict, Food Sovereignty, Gravitational Wave, Interstital, Setjetting, Lifehack, Moonshot, Neuromorphic Computing, Non-Narrated, Petrichor, Pocket Park, Setjetting, Sharing Economy, Silent Traveler, Slow Money, Start-Up, Suspended Coffee, Synthetic Biology, Umbrella Species, Vortex, Wayfinding
Old school: Agency, Creativity, Disruption, Inequality, Privacy, Promise, Restraint, Sesquicentennial, Shoebox Archive, Trope, Umbrella, Wheelhouse
Ron: Conscious Travel, Garden Volunteer, Immediate Now, Inbetweener, Kitchen Hopping, Longcut, Photo Safari, Slow Travel, Uncoordinated Collaboration, Virtuous Circle, We Story
Blog
https://ronmader.wordpress.com/2014/12/31/2014buzzwords
Flickr (free artwork, attribution-sharealike license)
https://www.flickr.com/photos/planeta/sets/72157640396567294
Wiki
http://planeta.wikispaces.com/buzzwordbingo
Crypto workshop part 3 - Don't do this yourselfhannob
Slides from a workshop I held on cryptography for web developers.
Part 3 is about the complexity of writing crypto code and why you should avoid doing it yourself it you're not a real expert.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
Chatbots are growing in popularity as developers face the
limitations of the mobile app. User interfaces that simulate a human
conversation, the history of chatbots goes back to the late 18th
century. I'll take you on a tour of that history with an eye on finding
insights on what is possible today and in the near future with chatbots.
Issues Covered: Amazon Alexa, Facebook Messenger Chatbots, Alan
Turing, and much more.
An idea for a log and backup policy that reduces the possibility of and potential damage from insider threats. Presented at Information Warfare Summit 2013.
We presented our work at Northrop Grumman Cybersecurity Research Consortium (CRC) spring event at Washington, DC. This is part of the "Deception Group" work at Purdue. Our group is investigating how deception can be used to improve the security of computers and networks.
In February 2014, the Argentinian studio OKAM made public the source code of their multi-platform game engine Godot Engine and not so long ago, version 1.0 was released. As you have already guessed, in this article we will talk about the analysis of this project's source code and its results. Analysis was done with the PVS-Studio static code analyzer. Besides the introductory purpose, this article also pursues some practical aims: the readers can learn something new while the project developers can fix errors and bottlenecks. But first things first.
Monitoring a program that monitors computer networksAndrey Karpov
There exists the NetXMS project, which is a software product designed to monitor computer systems and networks. It can be used to monitor the whole IT-infrastructure, from SNMP-compatible devices to server software. And I am naturally going to monitor the code of this project with the PVS-Studio analyzer.
Not so long ago one of our colleagues left the team and joined one company developing software for embedded systems. There is nothing extraordinary about it: in every firm people come and go, all the time. Their choice is determined by bonuses offered, the convenience aspect, and personal preferences. What we find interesting is quite another thing. Our ex-colleague is sincerely worried about the quality of the code he deals with in his new job. And that has resulted in us writing a joint article. You see, once you have figured out what static analysis is all about, you just don't feel like settling for "simply programming".
Explore the world of ethical hacking with CTF (Capture the Flag) in a fun and interactive way. Join us and ensure you bring your laptops to follow along with live CTF challenges. Cybersecurity may seem daunting, but CTF makes it accessible to all.
Similar to Understanding the fundamentals of attacks (20)
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and toplay online games. But have we ever properly considered thesecurity state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact ofJavaScript vulnerability exploitation to the enterprise: from stealing serverside data to infecting users with malware. Hackers are beginning to recognize this new playground and are quicklyadding JavaScript exploitation tools to their Web attack arsenal.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Accelerate Enterprise Software Engineering with Platformless
Understanding the fundamentals of attacks
1. Understanding the fundamentals of attacks
What is happening when someone writes an exploit?
Halvar Flake / Thomas Dullien
November 3, 2016
The /home owners association
2. Table of contents
1. The need to define “exploit”
2. Defining bug-free and buggy software
3. Intended states, CPU states, and weird states
4. Input streams as instruction streams
5. Provably exploitable and provably unexploitable code
6. What does all of this mean?
7. Summary
1
4. What, exactly, is an ‘exploit’?
What, exactly, is an exploit?
Central concept in computer security.
Valuable currency: Used to be barter-traded, now is traded for $$$.
Could you define it so that an old-school computer scientist understands?
2
5. What, exactly, is an ‘exploit’?
In spite of centrality of the concept, it is ill-defined.
Informal definitions abound, from overly abstract to overly concrete:
“A program that allows you to do something that you are not
supposed to be able to do.”
“I recognize an exploit when I see it.”
“Magic”
“When you overwrite EIP”
3
6. Why is the lack of a definition a problem?
Problem 1:
Since we do not have clear definitions, we fall into scholastic arguments:
“Adding a cookie to the heap here will stop exploits - it breaks
the technique described in Phrack!”
“It is just a single bit error, and hence not exploitable.”
Since we do not have clear definitions, these statements cannot be
reasoned about properly.
4
7. Why is the lack of a definition a problem?
Computer security is full of non-scientific statements, assertions, and
unquantifiable handwaving.
Mitigations are supposed to “raise the bar”, but:
Bar-raising
1. How much will the bar be raised?
2. Will it cost the attacker time once, or will it cost him time on each
exploit?
3. Is the cost (performance, complexity) worth the gain?
Our discussions are similar to “how many angels can balance on the tip
of a needle”.
5
8. Why is the lack of a definition a problem?
Most defenders have no first-hand experience with a modern exploit.
With security jobs doubling every 4 years, scholasticism is a real problem.
Incentive structures are harmful:
Happy defender
1. Come up with overspecific
countermeasures
2. Show progress to superiors
& get promoted
Happy attacker
1. Bypass overspecific
countermeasures
2. Hack all the things
3. Show progress to superiors
& get promoted
6
9. Why is the lack of a definition a problem?
Problem 2:
We fail at teaching it properly, and instead teach a “bag of tricks”
The broken exploitation curriculum:
1. Learn about stack smashing
2. Learn about heap implementation X, Y, and Z
3. Learn about SQL injection
4. Learn about ASLR and other mitigations
5. Learn about XSS
6. Learn about other overly special cases
Disjoint, disparate, and terrible at transmitting principles. Too many
people “miss the forest for the trees” as a result.
7
10. Why is there no good theoretical body on exploits?
“Philosophy of science is about as useful to scientists as
ornithology is to birds” (Feynman)
Exploit practitioners know the intuitions they need, and have no incentive
to formalize or disseminate their mental models.
8
11. This talk
Explains the “right” way to think about exploits and exploit writing1
.
Introduces an attacker model for memory corruptions that allows us to
reason about large classes of attacks.
Discusses a few theoretical results & their consequences.
Omits proofs and extreme formalism.
... but remains a theoretical CS talk, so don’t fall asleep!
1“Right” as subjectively judged by me, but I have impeccable taste in exploits.
9
12. Credit where it is due
Intuitions behind this talk are known to many exploit practitioners.
“Folk theorems” - results are known, but not formally written down
anywhere.
The LANGSEC2
community have contributed strongly to the discussion
and evolution of ideas.
2L. Sassaman, M. L. Patterson, S. Bratus, J. Vanegue etc. ...
10
14. Recap: Finite state machines
A graph of states, and input drives the machine along edges
(“transitions”) to other states.
State 1 State 2 State 3
‘A’ ‘B’
‘A’
‘D’ ‘E’
If you are unfamiliar with finite-state machines, think of such diagrams: 11
15. The intended (finite state) machine
Why write software? Because you wish to address a problem.
You want to have a machine that does something specific for you.
Ideally, you want to have a specific finite-state machine that addresses
your problem.
12
16. The intended (finite state) machine
Unfortunately, you do not have this machine: All you have is a
general-purpose computer.
So you build an emulator that emulates the machine you would like to
have on a general-purpose computer.
Programming is, at its heart, construction of finite-state-machine
emulators. 3
3Some people may disagree, but it is true for finite-RAM (e.g. real) machines
13
17. The intended (finite state) machine
The machine that addresses the problem is the intended finite state
machine: The machine you wanted to build.
By definition, it is bug-free: It does exactly what you want it to do, and
nothing else.
All theory is grey, so let’s define a small IFSM: A system that stores 5000
password / secret-value combinations
14
18. The IFSM
A simple secret-keeping machine:
A: Read password/secret
B: Store pair in memory
C:
Remove pair from memory
Output the requested secret
D: Output error message
New password?
Fewer than 5000 stored?
Pass/secret not equal 0?
Existing password?
Pass/secret equal 0?
Already 5000 stored?
15
19. The IFSM, slightly more formal
A simple secret-keeping machine:
Read input password/secret
read(p)
read(s)
Store pair in memory (B)
Memory ← Memory ∪ {(p, s)}
Output the requested secret (C)
Memory ← {(p , s ) ∈ Memory | p = p}
print(s )
Output error message (D)
print(0)
IF condition b:
∀(p , s ) ∈ Memory : p = p
|Memory| ≤ 4999
s = 0, p = 0
IF condition c:
∃(p , s ) ∈ Memory : p = p
s = 0
IF condition d:
s = 0
∨p = 0
∨ |Memory| = 5000
16
20. Implementing the IFSM
This machine can be implemented in many ways.
We will examine 2 different implementations.
Memory in the IFSM is a set. Computers do not know sets.
Our two implementations will emulate Memory via (1) a flat array and
via (2) a linked list.
17
21. Flat-array implementation: Writing
Divides memory into pairs of memory cells.
Pairs are either empty (and both 0), or represent secret/password combo.
Insertion is linear scan for empty pair and writing there.
Removal is linear scan for correct pair and removing it.
We refer to such a pair as (p, s).
18
28. Flat-array implementation: Reading
Transition C: Memory ← {(p , s ) ∈ Memory|p = p}.
Searching for a specific p and removing the pair.
P S
Linearly sweep until right p is found. Output corresponding s.
25
29. Flat-array implementation: Reading
Transition C: Memory ← {(p , s ) ∈ Memory|p = p}.
Searching for a specific p and removing the pair.
Linearly sweep until right p is found. Output corresponding s. Zero
memory cell.
26
30. Flat-array implementation: Reading
Transition C: Memory ← {(p , s ) ∈ Memory|p = p}.
Searching for a specific p and removing the pair.
Linearly sweep until right p is found. Output corresponding s. Zero
memory cell.
27
31. The linked-list implementation
Linearly sweeping memory is computationally expensive and not very
CSy.
Let us replace the flat array with a linked list for free and used tuples.
Divide memory into 3-tuples: (p, s, next). Keep track of two list heads
for free and used tuples.
28
36. Linked-list implementation details
Very detailed step-by-step slides for what happens are in the appendix,
but most people will be familiar with linked-list unlinks.
We will look at the machine implementation in more detail later.
Right now, we need to define what security properties are.
33
37. Security properties of the IFSM
The security properties of the IFSM are “what we want to be true” for
the IFSM.
This is needed to define “winning” for an attacker: He wins when he
defeats the security properties of the IFSM.
The security property is just a statement about input and output
sequences of the IFSM.
34
38. Security properties of the IFSM
A secret-keeping machine should not allow the secrets to be retrieved by
someone who does not know the password.
“If the system stores a pair (p, s) it should be practically infeasible for
the attacker to obtain s if he does not know p”.
35
40. Intended states
There is one IFSM state for each possible configuration of Memory.
At the same time, we saw that there can be multiple states of the CPU
that represent the same IFSM state (sets do not care about ordering).
You can map between intended states and sets of CPU states: Every
state of the IFSM can be represented by one or more CPU states.
But many CPU states do not represent any state of the IFSM.
36
41. CPU states
CPU states can fall into one of three categories:
Sane states: A CPU state which corresponds to a state of the IFSM.
Transitory states: A CPU state which inevitably irrespective of further
input or output leads to a sane state. These occur when the emulator
emulates a transition arrow of the IFSM using multiple instructions.
Weird states: A CPU state that does not correspond to a state of the
IFSM, and hence cannot be interpreted as a representation of the IFSM.
37
42. Weird states
How can the CPU enter a weird state?
Programming mistakes
Bitflips in DRAM
Broken data on your harddisk that gets paged in
... and a myriad of other ways ...
38
43. Emulated transitions on weird states
The program that executes on the CPU usually cannot know it has
entered a weird state.
It will happily continue executing until an exception occurrs.
This means that it will emulate transitions intended for a sane state on a
weird state.
This transforms one weird state into (usually) another weird state.
39
44. Emulated transitions on weird states
Once a weird state is entered, many other weird states can be reached by
applying the transitions intended for sane states on them.
A new computational device emerges, the weird machine.
The weird machine is the computing device that arises from the
operation of the emulated transitions of the IFSM on weird states.
...time for a radical change of perspective...
40
46. Normal model of computation
State 1 State 2 State 3 State 4 State 5
Input Input
Instruction Instruction Instruction Instruction
Program
Data
41
47. Normal model of computation
Summarize the middle transitions.
State 1 State 4 State 5
Input Input
Instruction(s) Instruction(s)
Program
Data
42
48. Attacker model of computation
State 1 State 4 State 5
Input Input
Instruction(s) Instruction(s)
Data
Program
43
49. Switching perspective
Any computing device that accepts input and reacts to this input by
executing a different program path can be viewed as a computing device
where the inputs are the program.
If no weird state can ever be entered, this is no problem, and intended.
If there is a way to enter a weird state, all hell breaks loose: The attacker
is now programming your computer.
44
50. The essence of exploitation
Given a method to enter a weird state from a set of particular sane
states, exploitation is the process of
setup (choosing the right sane state),
instantiation (entering the weird state) and
programming of the weird machine
so that security properties of the IFSM are violated.
45
52. Attacker model
Cryptography has a variety of attacker models of different strengths.
Plaintext-only. Chosen-ciphertext. Chosen-plaintext. Adaptive
chosen-plaintext.
These attacker models define what an attacker is allowed to do and
generalize many real-world attacks.
They are usually quite powerful, and allow reasoning about large classes
of attacks and defenses.
46
53. Attacker model
Let us introduce a simple (yet powerful) attacker model for memory
corruptions:
A chosen-bitflip-once attacker is allowed to corrupt exactly one bit of
memory exactly once, when the machine is waiting for input.
There are many other attacker models that are sensible and imaginable -
but we won’t discuss them here.
47
54. Attacker model
Our attacker model works as follows:
1. Attacker gets to send inputs to the machine
2. Defender gets to send an input (p, s) to the machine
3. Attacker gets to send inputs to the machine
4. Attacker gets to flip exactly one bit of his choosing
5. Attacker gets to send more inputs to the machine to obtain s
The chosen-bitflip-once attacker is a fairly strong attacker model, but not
unreasonably so.
48
55. Proving exploitability of the linked-list variant
The time-honored way of showing exploitability is providing an exploit.
We follow the same route: We describe a sequence of operations that
allows the attacker to obtain the secret.
49
63. Exploiting the linked-list implementation
The machine is still in an entirely sane state.
p0 s0 n0 p3 s3 n3 p4 s4 n4 pd sd nd
free
head
=12
57
64. Exploiting the linked-list implementation
The attacker gets to corrupt one bit, incrementing n3.
p0 s0 n0 p3 s3 n3 p4 s4 n4 pd sd nd
free
head
=12
58
65. Exploiting the linked-list implementation
The attacker gets to corrupt one bit, incrementing n3. He then sends in
(s4, X).
p0 s0 n0 p3 s3 n3 p4 s4 n4 pd sd nd
free
head
=12
59
66. Exploiting the linked-list implementation
The machine follows the linked list, interprets the stored s4 as password,
and outputs n4.
p0 s0 n0 p3 s3 n3 p4 s4 n4 pd sd nd
free
head
=12
60
67. Exploiting the linked-list implementation
The machine follows the linked list, interprets the stored s4 as password,
and outputs n4. It then sets the three cells to be free and overwrites the
stored pd with the free-head.
p0 s0 n0 p3 s3 n3 p4 s4 n4 12 sd nd
free
head
=7 61
68. Exploiting the linked-list implementation
The machine follows the linked list, interprets the stored s4 as password,
and outputs n4. It then sets the three cells to be free and overwrites the
stored pd with the free-head. Attacker sends (12, X) and obtains sd .
p0 s0 n0 p3 s3 n3 p4 s4 n4 12 sd nd
free
head
=7 62
69. Proving non-exploitability of the flat-array variant
The proof-of-exploitability was constructive.
Proving non-exploitability has a different flavor.
It is simply enumerating all initially reachable weird states and showing
they lead nowhere.
63
70. Proving non-exploitability of the flat-array variant
By flipping a bit, an attacker can enter one of the following states:
1. A sane state where he modifies a previously-saved p by one bit.
2. A sane state where he modifies a previously-saved s by one bit.
3. A weird state where a password-field of a (0, 0)-pair is set to = 0
but the secret field of the pair is 0.
4. A weird state where a secret-field of a (0, 0)-pair is set to = 0.
The sane states do not give him any advantage in obtaining sd . What
about the weird states?
64
71. Proving non-exploitability of the flat-array variant
Examine the initial weird states:
3. A weird state where a password-field of a (0, 0)-pair is set to = 0
but the secret field of the pair is 0.
3.1 The machine can be made to spit out 0 given the right password,
then reverts to a sane state.
3.2 This is weird behavior, but does not violate security properties
4. A weird state where a secret-field of a (0, 0)-pair is set to = 0.
4.1 The machine will treat the pair as empty and overwrite it, reverting
to a sane state.
4.2 This is weird behavior, but does not violate security properties
The attacker is out of options.
65
73. Interpreting all of this (1 of N)
Exploitation has very little to do with hijacking RIP/EIP.
All programs we considered had perfect control-flow integrity, and no
instruction pointer was hijacked.
Exploitation is programming a weird machine.
66
74. Properties of weird machines
Weird machines get more powerful as the emulator for the IFSM gets
more complex.
It seems that the presence of a linked list in the same address space
where a bit gets flipped may already imply “anything can happen” if the
attacker can cause unlink/link operations.
Weird machines are created out of the IFSM emulator. They are not
designed to be programmed, and the attacker writes “weird machine
assembler”.
67
75. Properties of weird machines
Since the weird machine arises from its “host”, different versions of the
same “host” may create similar weird machines.
This leads to attacker specialization: “X is the expert for IE exploitation.”
Attackers also end up writing libraries for recurrent exploitation of the
same targets. Nobody wants to write assembler from scratch, especially
not weird machine assembler.
68
76. Interpreting all of this (2 of N)
Many mitigations break one particular weird machine program.
Many mitigations can be “programmed around” by the attacker.
Many mitigations can be “bypassed once” (for a given target), then the
attacker has a “library” to repeat the feat when he finds the next bug.
69
77. Interpreting all of this (3 of N)
It is actually possible to write non-exploitable programs.
Exploring the space of non-exploitable programs seems worthwhile.
What datastructures can be implemented in non-exploitable manner?
At what computational cost?
70
78. Interpreting all of this (4 of N)
“Provably correct” is not the same as non-exploitable. These are
orthogonal concepts.
“Provably correct” means there is no software-only path to induce a
weird state.
Non-exploitable means all weird states a given attacker can reach resolve
to harmless sane states.
71
79. Interpreting all of this (5 of N)
“Turing-complete” is a fashionable way of showing the power of an
offensive technique in some academic papers.
It is a misuse of the term. It is trivial to produce a IFSM that simulates a
two-counter machine that is “Turing-complete”, but no security
properties are violated.
The right way of showing power is demonstrating violation of security
properties.
If you want to show more, demonstrate violation of all possible security
properties. So you want to show you can reach any pathological state.
(Turing-complete computation on arbitrary memory can do this).
72
80. Interpreting all of this (6 of N)
When trying to write non-exploitable programs, it is very hard to keep
“indirection” under control.
If one memory cell refers to another (directly or indirectly), it is often not
easy to assure it remains sane.
Theoretical computer science distinguishes between RAM machines with
indirect addressing and without. Is something similar at play here?
73
82. Summary
Exploitation is programming emergent weird machines.
It does not require EIP/RIP, and is not a bag of tricks.
Theory of exploitation is still in embryonic stage.
A lot of interesting questions - where will we stand in 10 years?
74
84. Acknowledgements
A lot of people have discussed the topic with me and thus influenced my
views. In random order: Felix Lindner, Ralf-Philipp Weinmann, Willem
Pinckaers, Vincenzo Iozzo, Julien Vanegue, Sergey Bratus, William
Whistler, Sean Heelan, Sebastian Krahmer.
A lot of thanks for their patience and insight.
I have spoken to so many people about exploitation in recent years. If
you feel you should’ve been listed here, just assume you were :-)
I also have to thank Mara Tam for useful feedback and outside
perspective.
75
85. References
Creating a proper full bibliography is difficult and out of scope for this
conference talk. Some starting points:
[3] [2] [1]
86. References I
S. Bratus, J. Bangert, A. Gabrovsky, A. Shubina, M. E. Locasto, and
D. Bilar.
’weird machine’ patterns.
In C. Blackwell and H. Zhu, editors, Cyberpatterns, Unifying Design
Patterns with Security and Attack Patterns, pages 157–171.
Springer, 2014.
L. Sassaman, M. L. Patterson, S. Bratus, and M. E. Locasto.
Security applications of formal language theory.
IEEE Systems Journal, 7(3):489–500, 2013.
J. Vanegue.
The weird machines in proof-carrying code.
In IEEE Symposium on Security and Privacy Workshops, pages
209–213, 2014.
90. Linked-list implementation
How do we store something in memory?
Take first element from free head. Adjust free-list head. Fill in p, s.
91. Linked-list implementation
How do we store something in memory?
Take first element from free-list head. Adjust free-list head. Fill in p, s.
Fill in next from the used-list head.
92. Linked-list implementation
How do we store something in memory?
Take first element from free-list head. Adjust free-list head. Fill in p, s.
Fill in next from the used-list head.
93. Linked-list implementation
How do we store something in memory?
Take first element from free-list head. Adjust free-list head. Fill in p, s.
Fill in next from the used-list head. Adjust used-list head.
Fill in next from the used-list head. Adjust used-list head.
94. Linked-list implementation
Transition (B): Memory ← Memory ∪ {(p, s)}.
Take first element from free-list head. Adjust free-list head. Fill in p, s.
Fill in next from the used-list head. Adjust used-list head. Done.
98. Linked-list implementation
Transition C: Memory ← {(p , s ) ∈ Memory|p = p}.
Follow used-list until p is found. Adjust next that led us here so that the
block with p is removed from the used-list.
99. Linked-list implementation
Transition C: Memory ← {(p , s ) ∈ Memory|p = p}.
Follow used-list until p is found. Adjust next that led us here so that the
block with p is removed from the used-list.
Output s, and replace next with free-list head.
100. Linked-list implementation
Transition C: Memory ← {(p , s ) ∈ Memory|p = p}.
Follow used-list until p is found. Adjust next that led us here so that the
block with p is removed from the used-list.
Output s, and replace next with free-list head. Adjust free-list head.