APSEC 2017 – Intelligence Amplifying Loop Characterizations for Detecting Algorithmic Complexity Vulnerabilities
Abstract: Algorithmic complexity vulnerabilities (ACVs) can be exploited to cause denial-of-service. Detecting ACVs is hard because of the numerous kinds of loop complexities that cause ACVs. This renders automatic detection intractable for ACVs. State-of-the-art loop analyses aim to obtain precise loop iteration bounds automatically; they can do so for relatively simple loops. This research focuses […]
VizSec 2017 – Interactive Visualization Toolbox to Detect Sophisticated Android Malware
Abstract: Detecting zero-day sophisticated malware is like searching for a needle in the haystack, not knowing what the needle looks like. This paper describes Android Malicious Flow Visualization Toolbox that empowers a human analyst to detect such malware. Detecting sophisticated malware requires systematic exploration of the code to identify potentially malignant code, conceiving plausible malware […]
Derbycon 7 – JReFrameworker: One Year Later
Abstract: JReFrameworker is a Java bytecode manipulation tool released at DEFCON 24 that lowers the barrier to entry for developing Managed Code Rootkits in the Java Virtual Machine. Bytecode manipulations are written entirely in source code, removing the need for any pre-requisite knowledge of bytecode internals and allowing anyone with a basic working knowledge of […]
DEFCON 25 Darknet Challenge
Overview: As described at dcdark.net: The DarkNet was inspired by a community concept of the same name presented in Daniel Suarez’s seminal books, “Daemon” and “Freedom.” In it, an autonomous artificial intelligence implemented by the visionary Matthew A. Sobol and activated by news of his death comes to “life” and begins recruiting people to embark on […]
USCC 2017 – Program Analysis for Cybersecurity
Abstract: From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing […]
ICST 2017 – Transferring state-of-the-art immutability analyses: An experimentation toolbox and accuracy benchmark
Abstract: Immutability analysis is important to software testing, verification and validation (V&V) because it can be used to identify independently testable functions without side-effects. Existing tools for immutability analysis are largely academic prototypes that have not been rigorously tested for accuracy or have not been maintained and are unable to analyze programs written in later […]
MILCOM 2016 – Discovering Information Leakage Using Visual Program Models
Abstract: This tutorial is about new genera of information leakage vulnerabilities, far more difficult to detect than the vulnerabilities that have previously dominated the software security landscape. We will survey attacks that have exploited information leakage vulnerabilities to steal sensitive information. We will show how to discover information leakage vulnerabilities using techniques and tools for […]
ISU Cybersecurity Seminar Series – Exploring the space in between bugs and malware
Abstract: We live in an age of software problems with catastrophic consequences. An extra goto in Apple’s SSL implementation compromised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars. Often the problem […]
SCAM 2016 – Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities
Abstract: Algorithmic Complexity (AC) vulnerabilities can be exploited to cause a denial of service attack. Specifically, an adversary can design an input to trigger excessive (space/time) resource consumption. It is not possible to build a fully automated tool to detect AC vulnerabilities. Since it is an open-ended problem, a human-in-loop exploration is required to find […]
GIAN 2016 – Managing Complexity, Security, and Safety of Large Software
Abstract: Software malfunctions can have catastrophic consequences and enormous costs. The error-prone and laborious manual practices of developing and maintaining large software must change to cope with ever increasing complexity of software, and the enormous safety and security challenges it poses. Formal verification is not a practical alternative for large software; it is riddled with problems […]