March 1st, 2009 by kowsik
If you are developing or testing any kind of DPI/UTM/IPS thingy, you constantly have to wrap content you have (malware, virus, browser exploits, etc) into various protocol streams just to see if the signature matches. You setup the server and capture the packets just to remember that you forgot to pass ‘-s 0′ to tcpdump and your capture is all truncated. And then start all over again to get the content over IPv6.
More »
Posted in pcapr, Announcements
| Permalink
| Trackback
|
No Comments »
February 24th, 2009 by kowsik
In case you haven’t seen this, it’s being exploited in the wild with a number of blogs talking about the specific details of the vulnerability. It’s pretty serious because of the very large presence of the Acrobat Reader across a wide range of OS’.
More »
Posted in pcapr, IPS
| Permalink
| Trackback
|
No Comments »
January 14th, 2009 by kowsik
You know about LAMP and I’m sure you know about RoR, not to mention countless other web application frameworks. I would like to introduce you to JS3 (since we are on an acronym roll here) which is turning out to be my favorite way to build applications. I’ve built apps for a long time now with MFC/ATL, Swing and WEBRick, mainly because I like to visualize things in order to understand. And when your prototypes start looking like the real meal deal and the lines start getting blurrier, you know you’ve hit home run.
More »
Posted in JavaScript, Tools
| Permalink
| Trackback
|
3 Comments »
January 13th, 2009 by kowsik
Wow, time sure flies when you are writing code.
Lots to blog about, but this one will be short. We just launched http://www.pcapr.net, a place to upload, view, edit, comment and yes, transform pcap’s. All you need is a browser. Registration is currently by invite only, but we hope to open that up soon.
More »
Posted in pcapr, JavaScript, Announcements
| Permalink
| Trackback
|
No Comments »
September 18th, 2008 by Gavin Heer
The Mu Dynamics Research Team released advisory “MU-200809-01” today. Details: MU-200809-01.txt
Posted in Advisories
| Permalink
| Trackback
|
No Comments »
September 4th, 2008 by kowsik
There was a post earlier today on Daily Dave about a DoS vulnerability in Chrome which supposedly was caused by a Microsoft runtime library when trying to access URL schemes that are bogus. It reminded me of this:
More »
Posted in Rants
| Permalink
| Trackback
|
No Comments »
July 14th, 2008 by kowsik
Just finished reading Zen and the Art of Motorcycle Maintenance for like the 100th time. I responded to a recent post on Daily Dave and somehow it seemed to trigger some thoughts about romantic and classical perspectives on software bugs. If you’ve read the book at all, neither perspective is right or wrong, except they are just different ways of looking at the same problem and both are equally valid since Quality is what drives them and more importantly creates them.
More »
Posted in Rants
| Permalink
| Trackback
|
No Comments »
July 11th, 2008 by David Helder
The Mu Dynamics Research Team released advisory “MU-200807-01” today. Details: MU-200807-01
Posted in Advisories
| Permalink
| Trackback
|
2 Comments »
June 30th, 2008 by kowsik
IPS’ are just fun, aren’t they? Bunch of high-speed pattern matchers with built-in protocol decodes. Well, I built one a while back and got tired after 5 years. There’re only so many signatures you can have in a product before you run out of DFA/NFA space and you have to resort to turning off less important ones (i.e., *ahem* low severity) for the sake of performance. Interestingly enough, performance and security are at cross-roads. The more secure you are, the slower you run. Just the way things works, I suppose.
More »
Posted in IPS
| Permalink
| Trackback
|
1 Comment »
May 23rd, 2008 by kowsik
If you’ve gone through my CanSecWest slides, I talk a lot about Field’s and how they are the fundamental units of protocols (network or file formats). The linkage information between the Field’s and across messages is a pretty powerful way to infer the cyclomatic complexity of the code that parses these messages. When generating test cases (fuzzing being one kind), we can leverage these structural and semantic linkages to generate systematic constraint violations that ultimately exercise the various branches taken in the parser.
More »
Posted in Mutations, Research
| Permalink
| Trackback
|
1 Comment »