OffensiveCon 2018: Building a Zero-Day Machine

Fabian Yamaguchi, Niko Schmidt & Marco Bartoli of ShiftLeft recently presented on our efforts to build a zero-day vulnerability machine at OffensiveCon. You can watch their presentation below.

FIELD REPORT ON A ZERO-DAY MACHINE

Make no mistake, security is about finding and exploiting vulnerabilities, not the ones everyone already knows about. The keen dream of the presenters is to build a machine that eats code on a large scale and outputs accurate information about all the ways in which this program exposes itself to the attacker, fails to be cautious about the input it receives, and leaks information. This is not something you create in a year and not in five, and while you do it, you continuously remember that what you are trying to do is impossible in general. This does not mean though, that it will not work remarkably well in practice.

This presentation is our first field report on this journey. In an iterative process, we identified which input this machine truly requires from the outside, and what it can do by itself. Pushing static data-flow tracking well beyond what is publicly available to date, we report on what it can do for you automatically, and where it still requires help. We proceed to present a new language similar to a firewall configuration, which allows to specify exactly what an attacker can do, which input she/he controls, and where data may leak to her/him. We show how this information, combined with language-neutral formulations of typical vulnerability patterns allow for cross-language identification of many classes of vulnerabilities, including object deserialization vulnerabilities, command injections and cross site scripting. We will illustrate this capabilities with real, previously unknown vulnerabilities.

To see how the zero-day machine works on your application, sign-up for a free data leakage assessment or free trial now!


OffensiveCon 2018: Building a Zero-Day Machine was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.



This is a Security Bloggers Network syndicated blog post authored by Andrew Fife. Read the original post at: ShiftLeft Blog - Medium