22nd USENIX Security Symposium

Here we are, attending once again USENIX Security Symposium (22nd edition) this time organized in Washington DC, US. This conference is known to be a leading forum to discuss and present novel and scientifically significant practical works in computer security. It is not that common to see two terms likepractical and scientifically significant used in the same sentence, right? This is the reason why I have a weak spot for this conference. It really attracts that kind of research that lets you dream of what computer security can be, without losing contact with reality. It is also a wonderful way to catch up with former colleagues from academia, especially if they are presenting some of their ongoing research (but I will get to that later).


The bootstrapping of the symposium.

The conference’s first talk was the keynote by Prof. Felten. He detailed his experience while working at the Federal Trade Commission, and offered quite a number of insights to the audience about what does it mean to work with the government, and why, as technologists, we often have difficulties in understanding the idiosyncrasies of the law-making process. What I liked most were his attempts to encourage and further foster collaborations between government and technical sector, which is really rare these days.

The first session showed immediately some big guns. Istvan Haller from Vrije Universitet Amsterdam presented “Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations”. I may be biased (I am intrigued by symbolic execution, and Istvan is a former colleague of mine) but I was really fascinated to see that using symbolic execution to scout for buffer overflow vulnerabilities is actually something possible. It is widely known that symbolically executing all program paths is not practical since it does not scale well (on the contrary). To mitigate this problem, the authors proposed an approach where they first identify the location where pointers are likely to be misused, and perform their analysis only on those program’s components. Neat, right?

The second talk leveraged symbolic execution too (by the time I heard that, my mind was already set to a “wired” state), but this time to automatically generate SNORT rules starting from Metasploit-like attack scripts. The motivation is quite simple. Attack frameworks are often open-source and thus freely available to the public. Normally used for penetration tests, too often they are also used by bad guys to automate otherwise complex attacks (they are really script-kiddie friendly). The idea of the authors is using those attack scripts to automatically generate SNORT signatures in an automated manner; all this without supervision. A hefty idea to offer 1day protection, don’t you think?

That is all for now. Tomorrow I will be looking for the authors of the research that has been recently banned by a British court injunction. They seem to be giving the talk anyway, alas stripped of some technical details (see here for more info). Expect some updates in case something big comes up 😉

Stay safe!

22nd USENIX Security Symposium

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox