John Oliver may have written off 2016, but we’re darn proud of all that we accomplished and contributed this year.
We released a slew of the security tools that help us -and you- work smarter, and promoted a few more that deserved recognition. We helped the New York City InfoSec community build a foundation for future growth. Perhaps most importantly, we weighed in when we believed the record needed to be set straight.
Here are 14 reasons we’re counting 2016 as a success and feeling good about 2017.
1. Brought automatic bug discovery to market
2016 will go down in history as the year that software began finding and patching vulnerabilities automatically. Our Cyber Reasoning System (CRS), built to compete in DARPA’s Cyber Grand Challenge, made history on its own when it audited zlib. As far as we know, our CRS was the first ever to audit a much larger amount of code in less time, in greater detail, and at a lower cost than a human could. Read the audit report and Mozilla’s announcement.
In January, we used our CRS to help settle a $1,000 bet about libotr, a popular library used in secure messaging software. Discover our insights about the challenges encrypted communications systems present for automated testing, how we solved them, and our testing methodology. And find out who won the bet.
Our CRS is available for commercial engagements, but we’ve open sourced one of its companion tools: GRR, a high-throughput fuzzer built specifically for the CRS. Read about the challenges we overcame while designing and building GRR.
Released And Reviewed Foundational Tools
2. Created a standardized benchmark suite for security tools
DARPA released the source code for over 100 challenge programs used in the Cyber Grand Challenge (CGC). The CGC challenge programs are realistic programs that contain documented vulnerabilities. Unfortunately, the programs don’t run on Windows, Linux, or macOS. We fixed this. We ported and packaged the challenge programs into a cross-platform benchmark suite. Now researchers in academia and industry can reliably evaluate and compare their program analysis tools and bug mitigations.
3. Ported Facebook’s osquery to Windows
Facebook’s osquery allows you to easily ask security and performance questions about your endpoint infrastructure. Until earlier this year, it was only available for macOS and Linux. We ported osquery to Windows, overcoming numerous technical challenges: completely different process and security models, incompatible APIs, and divergent compiler behavior. The port was worth the effort. Before, similar functionality would require cobbling together manual solutions or expensive and proprietary commercial products. Now, there’s a better option.
4. Released Algo, a secure, user-friendly, and free VPN
We built Algo, a self-hosted VPN server designed for ease of deployment and security. Algo servers are not shared with other users, only use modern protocols and ciphers, and only include only the minimal software you need. Since Algo deploys to nearly all popular cloud computing platforms, it provides an effectively unlimited set of egress locations. For anyone who is privacy conscious, travels for work frequently, or can’t afford a dedicated IT department, this one’s for you.
5. Showed how to automatically generate exploits with Binary Ninja
Ryan showed how to use Vector35’s Binary Ninja, a promising new interactive static analysis and reverse engineering platform, to generate exploits for 2,000 unique binaries in this year’s DEFCON CTF qualifying round. Its feature-rich and accessible APIs beat all competing products. Had he used IDA or radare2, Ryan would have had to divert his time and attention to implementing a stack model or using fragile heuristics instead of focusing on the true goal of the CTF: exploiting binaries. Read his full review.
6. Released Protofuzz, a protobuf fuzzer
Protofuzz helps find bugs in applications utilizing Google Protocol Buffers (protobuf). Applications use protobufs to specify the structure of messages, which are passed between processes or across networks. Protobufs automate the error-prone task of generating message serialization and deserialization code. Typical fuzzers that rely on random permutation cannot explore past the correct, auto-generated code. Protofuzz creates valid protobuf-encoded structures composed of malicious values — ensuring that permuted data passes through the hard auto-generated shell into the soft underbelly of the target program.
7. Made iOS’s Secure Enclave usable with Tidas
Apple’s Secure Enclave Crypto API promised to liberate us from the annoyance of passwords and using your Google account to log into Pokemon Go. But it was unusable in its original state. So, we filled the gap with Tidas, a simple SDK drop-in for iOS apps that provides cryptographically proven — and passwordless — authentication. The introduction of the T1 chip and TouchID on new MacBook Pros opens exciting new potential for Tidas on macOS. If you dream of a passwordless future, check out our DIY toolkit in Swift or Objective-C.
Shared With The Community
8. Explained Control Flow Integrity, and how to use it to mitigate exploits
Control Flow Integrity (CFI) prevents bugs from becoming exploits. Before indirect control flow transfers, CFI validates that the target of the flow belongs to a pre-determined set of valid targets. Unfortunately, instructions for using CFI are hard to find and very confusing. We fixed the problem. We published two blog posts that describe how CFI prevents exploitation, and how to use it with clang and Visual Studio. We also provided working examples showing how CFI protects Linux, MacOS, and Windows applications.
9. Pulled back the veil on PointsTo, our whole-program static analysis tool
Dynamic program analysis tools like AddressSanitizer and Valgrind can tell developers when running code accesses uninitialized memory, leaks memory, or uses memory after it’s been freed. Despite this, memory bugs are still shipped and exploited in the wild. That’s because bugs have a nasty habit of hiding behind rarely executed code paths, and dynamic analysis tools can’t check every possible program path. PointsTo can. It’s a whole-program static analysis tool that we developed and use to find and report on potential use-after-free bugs in large codebases. Read about PointsTo.
10. Continued to enrich NYC’s InfoSec community
Our bi-monthly meetup –Empire Hacking– really picked up steam in 2016. Membership passed 500 people; 100 of whom regularly attend our meetings. We heard 14 superb presentations on pragmatic security research and new discoveries in attack and defense. Many thanks to our hosts: Spotify, Two Sigma, DigitalOcean, and WeWork!
Everyone is welcome at Empire Hacking, but it may not be for everyone. So we put together nyc-infosec.com, a directory of all of the gatherings, companies, and university programs in NYC that we could find. Our goals with nyc-infosec.com are to promote collaboration, to elevate NYC’s community to its rightful place on the InfoSec ‘stage,’ and to help researchers and practitioners benefit from each other’s work.
One local event even earned our sponsorship: O’Reilly’s Security Conference.
11. Hired three interns for meaningful work
This winter we are once again giving college students paid internships to work on interesting security problems. We work with each student to create a project that is interesting both for them and beneficial for us, and provide them with resources and mentorship to make progress. This year, our interns are working on applying machine learning to fuzzing, porting challenge binaries to Windows, and improving our program analysis tools. We’ll have a post summarizing their work when it’s done; meanwhile, you can read about our past interns’ experience. We’ll also be hiring interns for the summer: contact us if you are interested.
12. Delivered 9 new talks at 13 separate conferences
When we can, we share the science that fuels our work – the successes and the failures. This year we spoke with an exceptional number of people at conferences all over the world.
- Automated Bug Finding at Scale by Peter Goodman at COUNTERMEASURE
- Automated Exploit Generation by Sophia D’Antoine at CanSecWest
- The Bad Neighbor by Sophia D’Antoine at HITB Amsterdam
- Be a Binary Rockstar by Sophia D’Antoine at INBOT and CodeBlue
- Building a Scalable, Automated Hacking Machine by Artem Dinaburg at Infiltrate, ShakaCon, HCSS, and NCC Open Forum Chicago
- iOS Application Security by Dan Guido and Sophia D’Antoine at Code as Craft, QCon NY
- Static and Dynamic Analysis Shootout by Ryan Stortz and Kareem El-Faramawi at INBOT and CSAW SOS
- The Smart Fuzzer Revolution by Dan Guido at BSides Lisbon
- Swift Reversing by Ryan Stortz at Infiltrate and ShakaCon
Spoke The Truth
13. Called out Verizon for publishing bad data
Verizon’s Data Breach Investigations Report (DBIR) represents a collaborative effort involving 60+ organizations’ proprietary data. It’s the single best source of information for enterprise defenders, which is why it was a travesty that the report’s section on vulnerabilities used in data breaches contained misleading data, analysis, and recommendations. We chided Verizon and Kenna -the section’s contributor- and offered suggestions that would improve the quality of future DBIR. In response to criticism, Verizon and Kenna posted mea culpas on their blogs.
14. Clarified the technical details of the Apple-FBI standoff
In February, a federal judge ordered Apple to help the FBI recover encrypted data from the San Bernardino gunman’s iPhone 5C. Many argued the FBI’s request was technically infeasible given the support for strong encryption on iOS devices. Based on our reading of the request and knowledge of iOS, we explained why Apple could comply with the FBI in this instance. (If the iPhone had had a Secure Enclave, it would have been much harder.) For more detail, listen to Dan’s interview on the Risky Business podcast.
2017 won’t know what hit it
This year, we are looking forward to publicizing more of our research, continuing our commitment to our open source projects, and releasing more of our internal tools. We will:
- Release Manticore, a ruthlessly effective hybrid symbolic-concrete (“concolic”) execution system that scales to large programs with numerous dependencies, complex interaction, and manual setup.
- Add ARM support to McSema so we can lift binaries from all kinds of embedded systems such as hard drive firmware, phones, and IoT devices.
- Publicly release a tool that combines a set of LLVM passes to detect side-channel vulnerabilities in sensitive codebases.
- Sponsor Infiltrate 2017 and attend en masse. We really appreciate the forum they provide for a focused, quality review of the techniques attackers use to break systems. It’s a service to the community. We’re happy to support it.
- Deliver a project inspired by Mr. Robot. Yeah, the TV show. More on that soon.