what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research:...
Transcript of what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research:...
![Page 1: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/1.jpg)
CEDRIC TESSIERSECURITY RESEARCHER / [email protected]
Vulnerability research:what it takes to keep going
and going and going…
JD-HITBSECCONF 2018, BEIJING
![Page 2: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/2.jpg)
Who Am I?
• Obviously not Fred Raynal (aka pappy)• No grey beard, way too young ;)
• Cédric Tessier (@nezetic)• One of Fred’s padawans
• Dark arts enthusiast• Reverse engineering• Vulnerability research• Functional programming• Black metal
2
![Page 3: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/3.jpg)
Vulnerability Research
● motive (why)
● attack surface (where)
● knowledge (how)
● first move (when)
Vulnerability research cannot be reserved to the bad guys…
… as it will give them the advantage
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 3
![Page 4: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/4.jpg)
Offensive Security
From a defensive only security paradigm……to both defensive AND offensive
● Deep complementarity
● Counterbalance bad guys advantages
● Increase the cost of attacks
● Knowledge is power
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 4
![Page 5: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/5.jpg)
Platforms Diversity
• Huge diversity of platforms
• toward the end of Wintel (Windows + Intel x86) era
• ARM's dominance on mobile markets
• MIPS, PowerPC, [your 90s architecture] still kicking
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 5
![Page 6: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/6.jpg)
Software Complexity
• Increasing complexity of the applications
• multi-megabyte software libraries are common
• web browsers are more like small operating systems
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 6
• Closed source binaries
• very common in the industry
• require reverse engineering
• but fewer eyes often means more bugs…
![Page 7: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/7.jpg)
Increased Difficulty
• Overall improvements over the past years
• more mitigations and compiler enhancements
• better development cycles (continuous bugs hunt)
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7
• Finding exploitable bugs is more difficult
• low-hanging fruits less and less common
• yes, it’s bad news (think as a James Bond villain)
![Page 8: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/8.jpg)
Finding vulnerabilities
• Never-ending quest (growing code base)
• Renewed challenge (increasing difficulty)
• Competitive field (inflating investment)
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 8
How to keep going?
![Page 9: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/9.jpg)
What next?
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 9
Google P0 will do the job…
Ville Hyvönen
![Page 10: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/10.jpg)
What do we need?
• More time, more money!• Our customers will sure love that one…
• More people!• We are recruiting ;)
• New ideas!• How to be smarter?
• Better tools!• Be more efficient
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 10
![Page 11: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/11.jpg)
Better tools?
• Lots of progress during the last 10 years
• Plenty of amazing tools available
• IDA• Frida• PIN• Clang / ASAN / libFuzzer ( LLVM)• AFL
• More and more free and open-source
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 11
![Page 12: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/12.jpg)
What do we dream?
• Multiplatform• Same tools on every platforms
• Flexible• Adapt to exotic approaches or targets
• Efficient• Don’t waste resources (as we don’t have much…)
• Robust…
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 12
Ideal tools should all be:
![Page 13: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/13.jpg)
Reality is a…
• We need tons of things
• And we want them now!
• Big challenges ahead
• Development is hard
• Maintaining tools even worse
• Long and tough road…
• …and time is money
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 13
![Page 14: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/14.jpg)
Who are we?
• French cyber-security company• ~50 employees
• Creating products• Software protection• Content analysis
• Providing high-end services• Vulnerability research• Reverse engineering• Software and hardware security
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 14
![Page 15: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/15.jpg)
R&D
• Small private R&D lab• Self-financed
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 15
• Many research fields• Reverse engineering• Vulnerability research• Cryptography• Obfuscation
• Limited resources• Who said « long and tough road »?
![Page 16: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/16.jpg)
Do… or do not
• Service activity• First hand feedbacks• What is really needed?
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 16
• Product activity• Experience in development• Infrastructure (Continuous Integration)
• R&D at core• Technical challenges are in company’s DNA
![Page 17: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/17.jpg)
Unrealistic?
• Not a multi-billion dollar company…• …but a small one with specific needs
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 17
Analysing a 20MB binary
1 million of 1MB onesVS
Let’s try to improve things…...at least the one that matter to us
![Page 18: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/18.jpg)
Binary analysis
• Many (like many many) existing tools• And dozen of frameworks
• All of them with limitations• « only support ELF file format »
• Different customers, various needs• « can you send us an ELF instead? »
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 18
Multiplatform? Flexibility? Efficiency?
![Page 19: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/19.jpg)
Executable Formats
• Parsers are fundamental components• Often overlooked
• Seen as mandatory but boring• « Let’s hack around libelf »
• « Easy » to create something• Hard to make it last…
• Do one thing…• …but do it as well as you can
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 19
![Page 20: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/20.jpg)
LIEF
• Cross platform library• Parse (and abstract)
• ELF, PE, MachO, DEX, OAT, ART
• Modify• some parts of these formats
• User-friendly• Powerful C/C++/Python APIs
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 20
Library to Instrument Executable FormatsGive it a try! https://lief.quarkslab.com/
![Page 21: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/21.jpg)
One ring
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 21
![Page 22: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/22.jpg)
Sales Pitch
• Flexible• Just a (nice) library• Abstractions (common APIs for all formats)
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 22
• Robust (we do our best…)
• Clean build system (cmake)
• Continuous Integration• Fuzzing (integrated in CI)
• Efficient• Core implemented in C++• pybind11 Python bindings
![Page 23: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/23.jpg)
DBI
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 23
● Observe any state of a program…○ …anytime during runtime
● Automate the data collection and processing
“Transformation of a program into its own measurement tool”
![Page 24: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/24.jpg)
Use Cases
• Finding memory bugs• Allocations / deallocations • Accesses
• Fuzzing• Code coverage• Symbolic representation of code
• Recording execution traces• “Timeless” debugging• Software side-channel attacks against crypto
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 24
![Page 25: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/25.jpg)
Existing Frameworks
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 25
![Page 26: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/26.jpg)
QBDI
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 26
QuarkslaB Dynamic binary Instrumentation
● Open-source
● Cross-platform
○ macOS, Windows, Linux, Android and iOS
● Cross-architecture
○ x86_64, ARM (more to come)
● Modular design (Unix philosophy)
Give it a try! https://qbdi.quarkslab.com/
![Page 27: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/27.jpg)
Modularity
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 27
● Only provides what is essential
● Don’t force users to do thing in your way
● Easy integration everywhere
![Page 28: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/28.jpg)
Integration
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 28
![Page 29: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/29.jpg)
Fuzzing
• Fuzz testing software• Injects randomized or mutated inputs• Provides a way to find bugs
• Completely automated• Input generation• Software execution• Crash (pre)analysis (or triage)
• « Fire and forget »• Nice, we lack ressources…
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 29
![Page 30: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/30.jpg)
AFL
• State-of-the-art fuzzer• A reference in industry• Impressive trophies (openssl, openssh, …)
• Open-source
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 30
© Michał Zalewski
![Page 31: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/31.jpg)
Code Path
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 31
![Page 32: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/32.jpg)
(not so Huge) Code Path
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 32
![Page 33: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/33.jpg)
Smart Fuzzer
• Hybrid approach• Various brute force strategies (input mutation)• Genetic algorithm (input selection)
• Focus on inputs that produced new paths• Maximise code coverage (better results)• Minimise search space (less time)
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 33
aims at better efficiency
![Page 34: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/34.jpg)
AFL Limitations
• Pros:• Fast (scale for thousand executions per second)• Efficient (find bugs in real-world applications)
• Cons:• Portability issues• Targets sources are required
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 34
Bad news: we rarely have sources (weird isn’t it?)…
![Page 35: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/35.jpg)
AFL/QBDI
• Targets closed source binaries
• Allows runtime optimizations (space reduction)
• Reverse engineering needed (no sources)
• Mandatory (but often minimal) when targeting internals
JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 35
AFL with QBDI as the instrumentation engine
![Page 36: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/36.jpg)
Best Friends
• Improved along with QBDI• Better performances (raw speed)• On-the-fly optimizations (code coverage)• Memory error detection (accuracy)• ...
• and LIEF• Transform a binary in a library• Statically inject your fuzzer• Add symbols for internal functions• ...
36
![Page 37: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/37.jpg)
Sales Pitch
• Easy to use C / C++ APIs• With proper documentation• Yes, it matters...• ...even if used internally by a few peoples
• Modular architecture• Various libraries (core, forkserver, loader)• Not drowned in a fork of AFL
• Robust build system• Regression tests
• A multiplatform custom memory allocator…• Seriously it’s painful, boring, but mandatory
37
![Page 38: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/38.jpg)
“Demo”
38For more, enjoy Gwaby’s talk: https://www.whinysoot.com/slides/AFL_QBDI_KSE_On_a_Boat.pdf
![Page 39: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/39.jpg)
Symbolic Execution
• Analyzes software without running it• Uses symbolic values instead of inputs• Represents computations as expressions
39
![Page 40: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/40.jpg)
Constraints Solving
• Taking a path or not depends on conditions• Conditions create path constraints• Symbolic expressions can represent constraints• Constraints can be solved symbolically
• SAT/SMT solvers (like Z3)
40
![Page 41: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/41.jpg)
Triton
• Cross-platform• macOS, Windows, Linux
• x86 and x86-64• ARM / ARM64 in the pipeline
• Modular and easy to integrate• LIEF• IDA• QBDI
• Python and C++ API41
Dynamic Symbolic Execution LibraryGive it a try! https://triton.quarkslab.com/
![Page 42: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/42.jpg)
Smarter Fuzzer
• New kind of hybrid approach• Discover paths with AFL/QBDI• Use symbolic execution when stuck (solve hard
to guess conditions)
42
• Inspired by Shellphish’s Driller (NDSS 2016)• DARPA's Cyber Grand Challenge• Simplified environment and constraints
![Page 43: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/43.jpg)
To the moon
• Guided fuzzers are fast but not (that) smart• Symbolic execution is smart but not fast
43
1. Find the good ratio between smart and fast2. Scale on real world programs
![Page 44: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/44.jpg)
Automation
• Fuzzing is automating the vulnerability research
• Good, very good (resources?)
• But who is automating the fuzzer?
• Reduce the setup and post processing times
• Avoid repetitive and boring tasks
• Focus only on what really matter
• Infrastructure needed
44
![Page 45: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/45.jpg)
Infrastructure
• Good news:
• Many existing bricks (Vagrant, Docker, …)
• Bad news:
• Very specific needs (heterogeneous environments,
isolation, ...)
• Tons of bricks missing (orchestration, triage, ...)
• We are not sysadmin :(
45
![Page 46: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/46.jpg)
TIGRE
• Manage resources• Physical devices• VMs
• Configure network• Autodiscovery• Isolation
• Distribute jobs• Use resources carefully• Handle monitoring and reports
46
Terrible Interface de Gestion de REssourcesAwful Resource Management Interface ™
![Page 47: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/47.jpg)
Architecture
47
![Page 48: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/48.jpg)
Architecture
48
![Page 49: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/49.jpg)
Dead inside
• Infrastructure automation is hardcore• Far from our core competences• Require very specific skill set
49
• All our goals are yet to be achieved• Robust• Scalable• Efficient• KISS 😂• Easy to use• ...
![Page 50: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/50.jpg)
So?
• Things seem to converge• Pieces can finally be assembled…• ...and are working well together
• Amazing trip• Took us ~4 years…• ...but totally worth it
• Still far from the destination• but does it really matter?
50
![Page 51: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/51.jpg)
Lessons Learned
• Vulnerability research can’t be isolated
• even if it always come with some secrecy
• So much to learn from others
• Researchers
• Developers
• Sysadmins
51
![Page 52: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/52.jpg)
No magic
• Security researchers are not magicians• can’t do everything by themself
• Work smarter, not harder• No pride in losing hours due to poor tooling...• ...yes, even if it worked• ...yes, even if it’s impressive
• Collaboration is key• Especially interdisciplinary
52
![Page 53: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/53.jpg)
Developers!
• Development is hard
• Full time job for ~12 millions people
• To create advanced tools
• you need specialists, experts…
• ...who are rarely professional developers
• So much to learn from them
• Code, process, infrastructures, …
53
“They don’t care about security”
![Page 54: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/54.jpg)
Community
• We strongly believe in FOSS• Permissive software licence• Contributors are always welcome
• Collaboration > Competition
• Community is essential• So much challenges left to overcome• Be nice to each others!
54
Can’t stay Alone in the Dark
![Page 55: what it takes to keep going Vulnerability research · JD-HITBSECCONF 2018 - Vulnerability research: what it takes to keep going 7 • Finding exploitable bugs is more difficult •](https://reader034.fdocuments.in/reader034/viewer/2022042521/5fa15eb583004030f96ab270/html5/thumbnails/55.jpg)