Here we are, attending once again USENIX Security Symposium (22nd edition) this time organized in Washington DC, US. This conference is known to be a leading forum to discuss and present novel and scientifically significant practical works in computer security. It is not that common to see two terms likepractical and scientifically significant used in the same sentence, right? This is the reason why I have a weak spot for this conference. It really attracts that kind of research that lets you dream of what computer security can be, without losing contact with reality. It is also a wonderful way to catch up with former colleagues from academia, especially if they are presenting some of their ongoing research (but I will get to that later).
The conference's first talk was the keynote by Prof. Felten. He detailed his experience while working at the Federal Trade Commission, and offered quite a number of insights to the audience about what does it mean to work with the government, and why, as technologists, we often have difficulties in understanding the idiosyncrasies of the law-making process. What I liked most were his attempts to encourage and further foster collaborations between government and technical sector, which is really rare these days.
The first session showed immediately some big guns. Istvan Haller from Vrije Universitet Amsterdam presented "Dowsing for Overﬂows: A Guided Fuzzer to Find Buffer Boundary Violations". I may be biased (I am intrigued by symbolic execution, and Istvan is a former colleague of mine) but I was really fascinated to see that using symbolic execution to scout for buffer overflow vulnerabilities is actually something possible. It is widely known that symbolically executing all program paths is not practical since it does not scale well (on the contrary). To mitigate this problem, the authors proposed an approach where they first identify the location where pointers are likely to be misused, and perform their analysis only on those program's components. Neat, right?
The second talk leveraged symbolic execution too (by the time I heard that, my mind was already set to a "wired" state), but this time to automatically generate SNORT rules starting from Metasploit-like attack scripts. The motivation is quite simple. Attack frameworks are often open-source and thus freely available to the public. Normally used for penetration tests, too often they are also used by bad guys to automate otherwise complex attacks (they are really script-kiddie friendly). The idea of the authors is using those attack scripts to automatically generate SNORT signatures in an automated manner; all this without supervision. A hefty idea to offer 1day protection, don't you think?
That is all for now. Tomorrow I will be looking for the authors of the research that has been recently banned by a British court injunction. They seem to be giving the talk anyway, alas stripped of some technical details (see here for more info). Expect some updates in case something big comes up