Thursday, October 20, 2016

NYC Area Security Folks – Come to SOS!

Every year the NYU School of Engineering hosts Cyber Security Awareness Week (CSAW) – the largest student-run security event in the country. This year, we're trying something new that combines two of my favorite things: security and open source.

The inaugural Security: Open Source (SOS) workshop, held this November 10 at NYU Tandon will feature the creators of some really cool new security tools talking about their projects. It's happening the day before one of the best CTF challenges out there, so we're expecting an audience that's not afraid of technical detail :)

What will you hear about at SOS? Here some of the cool speakers and topics:

  • Félix Cloutier will tell us about his open-source decompiler, fcd. This is a great example of incorporating cutting edge academic research into an open-source tool that anyone can use. Félix is also a former CSAW CTF competititor.
  • Mike Arpaia, co-founder of Kolide, will talk about osquery, a new open-source operating system instrumentation framework and toolset he created while at Facebook. Mike will talk about his experience managing an open-source security project and how to make it successful.
  • Patrick Hulin from MIT Lincoln Laboratory will talk about a new differential debugging technique he's devised. Patrick is one of the lead developers on PANDA, and he'll talk about how he used another great open-source tool, Mozilla rr, to automatically do root-cause debugging on devilishly tricky record/replay bugs.
  • Jamie Levy, one of the core developers on the Volatility memory forensics framework, will talk about taking memory forensics to the next level. Jamie is one of the most talented forensic investigators and developers I know and this should be a great talk!
  • Jonathan Salwan and Romain Thomas from Quarkslab will present a deep dive on Triton, their exciting binary analysis platform that combines symbolic execution and dynamic taint analysis, and demonstrate how it can be used to defeat virtualization-based obfuscation techniques.
  • Ryan Stortz from Trail of Bits will talk about how they took the DARPA Cyber Grand Challenge test programs and ported them to run on OS X and Linux. This opens up some really cool possibilities for using them to evaluate the effectiveness of different security tools!
  • Andrew Dutcher of UCSB will talk about angr, their Python-based binary analysis platform that aims to bring together tons of state-of-the-art analyses under one roof. They've recently used it to get third place in the DARPA Cyber Grand Challenge, and it's become a popular tool for CTF players around the world.
SOS will take place in the Pfizer Auditorium at the NYU Tandon School of Engineering in Brooklyn from 10:30am-5:30pm on November 10, the day before the CSAW CTF.

So what are you waiting for? Go register!

Saturday, October 8, 2016

The LAVA Synthetic Bug Corpora

I'm planning a longer post discussing how we evaluated the LAVA bug injection system, but since we've gotten approval to release the test corpora I wanted to make them available right away.

The corpora described in the paper, LAVA-1 and LAVA-M, can be downloaded here:

http://panda.moyix.net/~moyix/lava_corpus.tar.xz (101M)

Quoting from the included README:

This distribution contains the automatically generated bug corpora used in the paper, "LAVA: Large-scale Automated Vulnerability Addition".

LAVA-1 is a corpus consisting of 69 versions of the "file" utility, each of which has had a single bug injected into it. Each bug is a named branch in a git repository. The triggering input can be found in the file named CRASH_INPUT. To run the validation, you can use validate.sh, which builds each buggy version of file and evaluates it on the corresponding triggering input.

LAVA-M is a corpus consisting of four GNU coreutils programs (base64, md5sum, uniq, and who), each of which has had a large number of bugs added. Each injected, validated bug is listed in the validated_bugs file, and the corresponding triggering inputs can be found in the inputs subdirectory. To run the validation, you can use the validate.sh script, which builds the buggy utility and evaluates it on triggering and non-triggering inputs.

For both corpora, the "backtraces" subdirectory contains the output of gdb's backtrace command for each bug.

Enjoy!