Blog Archives

DEFCON 25 Darknet Challenge

Overview: As described at dcdark.net: The DarkNet was inspired by a community concept of the same name presented in Daniel Suarez’s seminal books, “Daemon” and “Freedom.” In it, an autonomous artificial intelligence implemented by the visionary Matthew A. Sobol and activated by news of his death comes to “life” and begins recruiting people to embark on […]

Categories: Competitions

USCC 2017 – Program Analysis for Cybersecurity

Abstract: From bug hunting to exploit development to securing software systems, program analysis is a common thread that ties together multiple fields of software security. This training is targeted at individuals with little or no program analysis experience. Instead of simply learning how to break things, this training focuses on the challenges involved in securing […]

Categories: Tutorials

ICST 2017 – Transferring state-of-the-art immutability analyses: An experimentation toolbox and accuracy benchmark

Abstract: Immutability analysis is important to software testing, verification and validation (V&V) because it can be used to identify independently testable functions without side-effects. Existing tools for immutability analysis are largely academic prototypes that have not been rigorously tested for accuracy or have not been maintained and are unable to analyze programs written in later […]

Categories: Papers

MILCOM 2016 – Discovering Information Leakage Using Visual Program Models

Abstract:  This tutorial is about new genera of information leakage vulnerabilities, far more difficult to detect than the vulnerabilities that have previously dominated the software security landscape. We will survey attacks that have exploited information leakage vulnerabilities to steal sensitive information. We will show how to discover information leakage vulnerabilities using techniques and tools for […]

Categories: Tutorials

ISU Cybersecurity Seminar Series – Exploring the space in between bugs and malware

Abstract: We live in an age of software problems with catastrophic consequences. An extra goto in Apple’s SSL implementation compromised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars. Often the problem […]

Categories: Talks

SCAM 2016 – Statically-informed Dynamic Analysis Tools to Detect Algorithmic Complexity Vulnerabilities

Abstract:  Algorithmic Complexity (AC) vulnerabilities can be exploited to cause a denial of service attack. Specifically, an adversary can design an input to trigger excessive (space/time) resource consumption. It is not possible to build a fully automated tool to detect AC vulnerabilities. Since it is an open-ended problem, a human-in-loop exploration is required to find […]

Categories: Papers

GIAN 2016 – Managing Complexity, Security, and Safety of Large Software

Abstract: Software malfunctions can have catastrophic consequences and enormous costs. The error-prone and laborious manual practices of developing and maintaining large software must change to cope with ever increasing complexity of software, and the enormous safety and security challenges it poses. Formal verification is not a practical alternative for large software; it is riddled with problems […]

Categories: Short Courses

ASE 2016 – Learn to Build Automated Software Analysis Tools with Graph Paradigm and Interactive Visual Framework

Abstract: Software analysis has become complex enough to be intimidating to new students and professionals. It can be difficult to know where to start with over three decades of staggering research in data and control flow analyses and a plethora of analysis frameworks to choose from, ranging in maturity, support, and usability. While textbooks, surveys […]

Categories: Tutorials

DEFCON 24 – Developing Managed Code Rootkits for the Java Runtime Environment

Abstract: Managed Code Rootkits (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn’t new, practical tools for developing MCRs don’t currently exist. Erez Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the […]

Categories: Talks

ISSRE 2015 – Hard Problems at the Intersection of Cybersecurity and Software Reliability

Abstract: This tutorial is aimed at the audience interested in knowing how software reliability and cybersecurity converge in terms of intrinsic hard problems, and how that knowledge can be useful for advancing the research and practice in both fields. This tutorial is based on our research in three Defense Advanced Research Projects Agency (DARPA) projects […]

Categories: Tutorials