If you are developing or testing any kind of DPI/UTM/IPS thingy, you constantly have to wrap content you have (malware, virus, browser exploits, etc) into various protocol streams just to see if the signature matches. You setup the server and capture the packets just to remember that you forgot to pass ‘-s 0′ to tcpdump and your capture is all truncated. And then start all over again to get the content over IPv6.

More »

In case you haven’t seen this, it’s being exploited in the wild with a number of blogs talking about the specific details of the vulnerability. It’s pretty serious because of the very large presence of the Acrobat Reader across a wide range of OS’.

More »

You know about LAMP and I’m sure you know about RoR, not to mention countless other web application frameworks. I would like to introduce you to JS3 (since we are on an acronym roll here) which is turning out to be my favorite way to build applications. I’ve built apps for a long time now with MFC/ATL, Swing and WEBRick, mainly because I like to visualize things in order to understand. And when your prototypes start looking like the real meal deal and the lines start getting blurrier, you know you’ve hit home run.

More »

Wow, time sure flies when you are writing code.

Lots to blog about, but this one will be short. We just launched http://www.pcapr.net, a place to upload, view, edit, comment and yes, transform pcap’s. All you need is a browser. Registration is currently by invite only, but we hope to open that up soon.

More »

The Mu Dynamics Research Team released advisory “MU-200809-01” today. Details: MU-200809-01.txt

There was a post earlier today on Daily Dave about a DoS vulnerability in Chrome which supposedly was caused by a Microsoft runtime library when trying to access URL schemes that are bogus. It reminded me of this:

More »

Just finished reading Zen and the Art of Motorcycle Maintenance for like the 100th time. I responded to a recent post on Daily Dave and somehow it seemed to trigger some thoughts about romantic and classical perspectives on software bugs. If you’ve read the book at all, neither perspective is right or wrong, except they are just different ways of looking at the same problem and both are equally valid since Quality is what drives them and more importantly creates them.

More »

The Mu Dynamics Research Team released advisory “MU-200807-01” today. Details: MU-200807-01

IPS’ are just fun, aren’t they? Bunch of high-speed pattern matchers with built-in protocol decodes. Well, I built one a while back and got tired after 5 years. There’re only so many signatures you can have in a product before you run out of DFA/NFA space and you have to resort to turning off less important ones (i.e., *ahem* low severity) for the sake of performance. Interestingly enough, performance and security are at cross-roads. The more secure you are, the slower you run. Just the way things works, I suppose.

More »

If you’ve gone through my CanSecWest slides, I talk a lot about Field’s and how they are the fundamental units of protocols (network or file formats). The linkage information between the Field’s and across messages is a pretty powerful way to infer the cyclomatic complexity of the code that parses these messages. When generating test cases (fuzzing being one kind), we can leverage these structural and semantic linkages to generate systematic constraint violations that ultimately exercise the various branches taken in the parser.

More »