22nd USENIX Security Symposium

Here we are, attending once again USENIX Security Symposium (22nd edition) this time organized in Washington DC, US. This conference is known to be a leading forum to discuss and present novel and scientifically significant practical works in computer security. It is not that common to see two terms likepractical and scientifically significant used in the same sentence, right? This is the reason why I have a weak spot for this conference. It really attracts that kind of research that lets you dream of what computer security can be, without losing contact with reality. It is also a wonderful way to catch up with former colleagues from academia, especially if they are presenting some of their ongoing research (but I will get to that later).


The bootstrapping of the symposium.

The conference’s first talk was the keynote by Prof. Felten. He detailed his experience while working at the Federal Trade Commission, and offered quite a number of insights to the audience about what does it mean to work with the government, and why, as technologists, we often have difficulties in understanding the idiosyncrasies of the law-making process. What I liked most were his attempts to encourage and further foster collaborations between government and technical sector, which is really rare these days.

The first session showed immediately some big guns. Istvan Haller from Vrije Universitet Amsterdam presented “Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations”. I may be biased (I am intrigued by symbolic execution, and Istvan is a former colleague of mine) but I was really fascinated to see that using symbolic execution to scout for buffer overflow vulnerabilities is actually something possible. It is widely known that symbolically executing all program paths is not practical since it does not scale well (on the contrary). To mitigate this problem, the authors proposed an approach where they first identify the location where pointers are likely to be misused, and perform their analysis only on those program’s components. Neat, right?

The second talk leveraged symbolic execution too (by the time I heard that, my mind was already set to a “wired” state), but this time to automatically generate SNORT rules starting from Metasploit-like attack scripts. The motivation is quite simple. Attack frameworks are often open-source and thus freely available to the public. Normally used for penetration tests, too often they are also used by bad guys to automate otherwise complex attacks (they are really script-kiddie friendly). The idea of the authors is using those attack scripts to automatically generate SNORT signatures in an automated manner; all this without supervision. A hefty idea to offer 1day protection, don’t you think?

That is all for now. Tomorrow I will be looking for the authors of the research that has been recently banned by a British court injunction. They seem to be giving the talk anyway, alas stripped of some technical details (see here for more info). Expect some updates in case something big comes up 😉

Stay safe!

22nd USENIX Security Symposium

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox