Hunt your Zero-Days via Taint Analysis
After all progress in cyber protection mechanisms, we still hear such news as Twitter got hacked, Facebook accidentally released users' accounts, which were stored as plain-text passwords for millions of users! Google has closed its social network platform after data leaks and some security concerns. It seems hackers manage to perform more successful and sophisticated attacks every year, mostly by exploiting unknown software vulnerabilities and using new techniques. As a result, cybercriminals can successfully steal the valuable information of millions of people.
- Apr 9Online1 day07:00 - 14:00 UTC450 USD
In this workshop, I will introduce dynamic taint analysis (DTA) is a powerful technique that allows us to detect zero-day vulnerabilities in software binary files before being identified and exploited by hackers!
The DTA works based on monitoring dynamic executions during the runtime execution of a program. Precisely, in this technique, we taint sensitive data originating from external environments such as network,
file system, and external processes. Then we track these taints throughout the program execution, and finally, we try to prevent these taints from going to untrusted channels in insecure ways.
Then, I will teach you how to use DTA in practice in order to identify various programming vulnerabilities (e.g., remote code injection, SQL injection, cross-site scripting,
insecure deserialization, etc.) in software binaries and source codes, and how to enforce proper data flow policies to prevent sensitive information from being leaked in untrusted channels.
- Introducing common challenges in performing vulnerability detection in real-world software systems with a lack of source-code and solid obfuscated bytecode.
- What is dynamic taint tracking, and how to utilize it in software security?
- The downsides of dynamic taint tracking
- How Effectively leverage dynamic taint tracking for bug hunting under real-world circumstances
- How to instrument software binaries without breaking the law!
- How to use shadow-memory works in lockstep with DTA to find your zero-days!
- How to verify a vulnerability with the Z3 SMT solver
- How to generate concrete exploits for identified vulnerabilities via concolic execution
- Show practical examples of using taint analysis in for various ecosystems such as X86 binaries, Java Virtual Machine, and Ethereum Virtual Machine
Mohammadreza is a software security researcher and program analysis enthusiast. Particularly he is interested in studying various techniques of performing program fuzzing and testing for COTS binaries. In this regard, he has successfully implemented several practical security testing frameworks, such as Tainer (for Java), RustFuzz (for Rust), and Etherolic (for Ethereum). The results of his research projects have been published in top-notch conferences and journals and achieved various awards. Mohammadreza currently works as a postdoc researcher in Cyber Security at Virginia Tech as well as an adjunct assistant professor at Arden University in Berlin. Mo used to work for the University of Potsdam, CISPA, and Oracle Labs. He is also the founder and CEO of PersimmonWeb, a software startup. Currently, Mohammadreza lives in Berlin, and he likes cycling, photography, writing, and mixing electronics.
For more information check out his personal website: http://ashoury.de