logo
Dates

Author


Conferences

Tags

Sort by:  

Conference:  Defcon 31
Authors: Xavier Cadena
2023-08-01

Large Language Models are already revolutionizing the software development landscape. As hackers we can only do what we've always done, embrace the machine and use it to do our bidding. There are many valid criticisms of GPT models for writing code like the tendency to hallucinate functions, not being able to reason about architecture, training done on amateur code, limited context due to token length, and more. None of which are particularly important when writing fuzz tests. This presentation will delve into the integration of LLMs into fuzz testing, providing attendees with the insights and tools necessary to transform and automate their security assessment strategies. The presentation will kick off with an introduction to LLMs; how they work, the potential use cases and challenges for hackers, prompt writing tips, and the deficiencies of current models. We will then provide a high level overview explaining the purpose, goals, and obstacles of fuzzing, why this research was undertaken, and why we chose to start with 'memory safe' Python. We will then explore efficient usage of LLMs for coding, and the Primary benefits LLMs offer for security work, paving the way for a comprehensive understanding of how LLMs can automate tasks traditionally performed by humans in fuzz testing engagements. We will then introduce FuzzForest, an open source tool that harnesses the power of LLMs to automatically write, fix, and triage fuzz tests on Python code. A thorough discussion on the workings of FuzzForest will follow, with a focus on the challenges faced during development and our solutions. The highlight of the talk will showcase the results of running the tool on the 20 most popular open-source Python libraries which resulted in identifying dozens of bugs. We will end the talk with an analysis of efficacy and question if we'll all be replaced with a SecurityGPT model soon. To maximize the benefits of this talk, attendees should possess a fundamental understanding of fuzz testing, programming languages, and basic AI concepts. However, a high-level refresher will be provided to ensure a smooth experience for all participants.
Conference:  Defcon 31
Authors: Daniel dos Santos Head of Security Research, Forescout, Simon Guiot Security Researcher, Forescout
2023-08-01

This talk discusses an overlooked aspect of Border Gateway Protocol (BGP) security: vulnerabilities in how its implementations parse BGP messages. Software implementing BGP is relied upon for Internet routing and for functions such as internal routing in large data centers. A lot of (deserved) attention is given to aspects of BGP protocol security discussed in RFC4272, which can be mitigated with the use of RPKI and BGPsec. However, recent BGP incidents show that it might take only a malformed packet to cause a large disruption. We will present a quantitative analysis of previous vulnerabilities in both open and closed-source popular BGP implementations and focus the talk on a new analysis of seven modern implementations. Main findings in this research include: 1. Some implementations process parts of OPEN messages before validating the BGP ID and ASN fields of the originating router, which means that only TCP spoofing is required to inject malformed packets. 2. Three new vulnerabilities in a leading open-source implementation, which could be exploited to achieve denial of service on vulnerable peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive. These vulnerabilities were found using a fuzzer we developed and will release to the community.
Conference:  Black Hat Asia 2023
Authors: Chiachih Wu, Yuan-Tsung Lo
2023-05-12

In 1993, Microsoft introduced the proprietary NTFS with Windows NT 3.1. Over two decades later, the full-fledged NTFS native driver, dubbed NTFS3, contributed to the Linux 5.15 kernel in late 2021 by Paragon Software. As a new and complicated subsystem in the Linux kernel, NTFS3 is a good target for hackers and security researchers. Based on that, we started using system call fuzzers (e.g., syzkaller, Trinity, etc.) for identifying vulnerabilities in NTFS3. However, as shown in previous context-aware fuzzing efforts, we need a more efficient way to skip invaluable paths generated by the random mutation.We chose to leverage and improve the context-aware file system fuzzer, Janus, to fuzz NTFS3. Although Janus is an excellent fuzzing framework, there are still some challenges to applying it on NTFS3 and the latest Linux kernel. Specifically, we created a NTFS3 parser based on the incomplete NTFS spec to pre-check the fuzzer-generated file system images for efficiency. Besides, we ported the outdated Linux kernel library (LKL) to the latest Linux kernel, which is the key to shortening the target reboot time. In addition, we added KASAN support for LKL, which helped us to detect non-crash memory violations.As a result, we identified dozens of crashes/bugs/vulnerabilities with 9 patches currently in the v6.2 release candidate process and 3 patches accepted by the NTFS3 maintainer. In particular, one of the critical vulnerabilities we identified could be exploited to perform local privilege escalation attacks. Specifically, we crafted a malformed NTFS image to demonstrate that we could corrupt kernel memory chunks on the heap by mounting that image. With proper heap spray technique, we could further gain root privileges if we have the unprivileged mounting capability (e.g., auto-mounting).
Conference:  Black Hat Asia 2023
Authors: Zong Cao, Zheng Wang, Yeqi Fu, Fangming Gu, Bohan Liu
2023-05-12

WebAssembly (WASM) is a high-performance compiled language for execution in web browsers that interoperates with JavaScript. In general, the wasm compiler in the browser is integrated into the javascript engine, which has proven to be an important attack surface in browsers over the past years. Protecting the security of the WASM compiler is a matter of security for the browser, and thus for the users. We have seen a remote code execution vulnerability in the wasm compiler previously (pwn2own2021), and it seems that no public research has continued to demonstrate vulnerabilities from this attack surface since then. In fact, over the past year, the number of commits of the Webassembly compiler in Webkit has surpassed that of javascript JIT and introduced some new features based on the wasm 2.0 specification such as Exceptions, Tail Call, SIMD, etc. In this case, the security of the wasm compiler should be re-emphasized.In this study, we focus on Webkit vulnerability hunting using fuzz testing. We first investigated some of the existing wasm fuzzer and studied their design patterns, and then we used a clever approach to create an efficient fuzzer for Webkit fuzzing. In addition, we deployed the fuzzer to other architectures because the Codegen part of the WASM compiler is architecture related. So far, we have submitted a total of 13 security-related issues (and the fuzzer is still producing new crashes today), 4 of which have been assigned CVEs and official acknowledgments from Apple, while some are still being investigated. These issues affect LLInt, BBQ, and OMG of the Webassembly compiler, some of which are also architecture related. In this talk, we will explain why we chose Webkit as our primary target and give a detailed introduction to the fuzzer creation process, as well as analyze a few interesting vulnerabilities we found.
Conference:  Black Hat Asia 2023
Authors: Ziling Chen, Nan Wang, Hongli Han
2023-05-12

Nowadays, multiple mitigation mechanisms have gradually been added to Google Chrome in order to reduce the traditional RCE attack surfaces (e.g., V8 and Blink), which greatly increases the attack difficulty. Besides these well-known attack surfaces, we found SQLite can be directly accessed by remote attackers via Chrome WebSQL API.In this talk, we will present a mutation-based Fuzzer towards WebSQL. By leveraging extra syntax tree and context analysis, the fuzzer substantially improves the syntactic and semantic correctness of the generated SQL samples, and uncovered new vulnerabilities in WebSQL.Most of the acknowledged CVEs related to WebSQL were discovered by our fuzzer since the SQL statement whitelist restriction has been enhanced in Chrome WebSQL in 2020. Furthermore, the identified vulnerabilities were all rated as high severity. The details and exploits of these vulnerabilities will also be shared by us.
Conference:  Black Hat Asia 2023
Authors: Imran Saleem
2023-05-12

The talk is mainly driven by the cyber intelligence gathered in response to political shifts in the region. The core focus of the talk is to bring awareness, and reveal actionable intelligence to a larger set of audience, specifically operators to take solid measures to ensure they have cyber resilience when it comes to handling these nation-state attacks during conflicts. As the theme of the talk is cyber-attacks during conflicts, we will share a glimpse of intelligence that was captured during the US forces' withdrawal from Afghanistan. We will discuss the timeline of the US withdrawal and how these activities were directly reflected and seen on the global signalization. We will also share our intelligence gathered around the Russian and Ukraine conflict and how mobile networks were weaponized to inflict cyber war with a primary focus on nation-state activity led by Russian sources/identity holding various objectives (i.e hostile registration, location tracking and surveillance, SMS hijack, account takeover performing identity impersonation, identity spoofing via SS7 on link level and upper layers, and zero-day exploit techniques used in an attempt to bypass security control). These activities were supported by fuzzing looking to evade security defenses. Redacted network capture would be used to demonstrate the attack methodology. We will also walk through and provide evidence of how zero-day exploits on the global Signaling are incurring financial losses for mobile operators. The talk brings a unique perspective for mobile network operators on how revisiting their efforts in building a concrete cyber resilience security strategy can prevent operators from financial and reputational losses and prepare them for hybrid war.Please note that this will be a remote (virtual) presentation.
Conference:  Black Hat Asia 2023
Authors: Simon Scannell, Valentina Palmiotti, Juan José López Jaimez
2023-05-11

Extended Berkeley Packet Filter (eBPF) is a technology that provides capabilities to programmers seeking to make use of kernel layer performance and functionality. Fundamentally, eBPF allows users to load programs into kernel space and attach them to hook points. This allows for loading kernel code at runtime without needing to modify the kernel source code itself or develop a kernel module. eBPF programs are written in a high-level language and then compiled into assembly-like bytecode. At load time, the bytecode is JIT-compiled into the native architecture which allows for the program to be kernel and architecture-independent. The instruction set is minimal but allows programmers to call outside kernel functions, read and store data in various data structures and perform pointer arithmetic and operations.Programs that run in the kernel must be carefully analyzed to ensure that these programs follow rules to guarantee the integrity and security of the kernel running the program. A single code flaw in any of the components involved in program parsing, analysis, optimization, and compilation may lead to a compromise of the kernel running an eBPF implementation.As eBPF becomes more prevalent, the goal of our talk is to share the history of eBPF vulnerabilities, bug classes, mitigations and provide an outlook for the future. We will also share our insights into automated vulnerability discovery. We will introduce listeners to advanced concepts of structured fuzzing such as designing and implementing an Intermediate Language. We will also discuss identifying roadblocks such as bug detection and give practical examples of how to overcome them. This will enable anyone to apply these concepts to their own fuzzing campaigns. The source code of our fuzzer will also be made available.
Authors: Jeremy Matos
2022-10-25

tldr - powered by Generative AI

Using Go Fuzzing to improve the test coverage of security helper libraries and gain confidence in their effectiveness
  • Security helper libraries can be hard to unit test as they need to ensure 'bad' inputs are not considered valid
  • Go Fuzzing can be used to identify corner cases and improve test coverage
  • A real-life example of a path traversal vulnerability in Grafana OSS is used to demonstrate the effectiveness of Go Fuzzing
  • Writing predicates for Go Fuzzing can be challenging as the validation logic becomes more complex
  • Once trusted security helpers are identified, they should be communicated and enforced through static analysis tools
Conference:  Black Hat USA 2022
Authors:
2022-08-11

tldr - powered by Generative AI

The presentation discusses a new approach to concurrency testing using coverage-guided fuzzing and annotations to control interleavings. The approach allows a fuzzer to explore all possible interleavings and find bugs efficiently.
  • Concurrency testing is important for security and performance
  • Current approaches to concurrency testing are limited and inefficient
  • The proposed approach uses coverage-guided fuzzing and annotations to control interleavings
  • The approach allows a fuzzer to explore all possible interleavings and find bugs efficiently
  • Future work includes informing the fuzzer about different threads and improving performance
Tags:
Conference:  Black Hat USA 2022
Authors:
2022-08-11

tldr - powered by Generative AI

The presentation discusses the use of fuzzing to discover vulnerabilities in the Titan M chip and the importance of implementing strong security measures.
  • The Titan M chip is used to mitigate side channel attacks and communicates with Android through hardware buses.
  • Black box fuzzing and emulation-based fuzzing are effective methods for discovering vulnerabilities in the chip.
  • A critical zero-day vulnerability was discovered and used to leak strongbox keys.
  • Implementing strong security measures, such as user authentication, can mitigate vulnerabilities.
  • Updating the VMware is the best mitigation for the discovered vulnerability.
Tags: