October 24, 2017

Do WAFs dream of static analyzers?


Virtual patching (VP) has been one of the most popular trends in application protection in recent years. Implemented at the level of a web application firewall, VP allows protecting web applications against exploitation of previously defined vulnerabilities. (For our purposes, a web application firewall, or WAF, will refer to a dedicated solution operating on a separate node between an external gateway and web server.)

In short, VP works by taking the results of static application security testing (SAST) and using them to create rules for filtering HTTP requests on the WAF. The problem, though, is that SAST and WAFs rely on different application presentation models and different decision-making methods. As a result, none of the currently available solutions do an adequate job of integrating SAST with WAFs. SAST is based on the white-box model, which applies formal approaches to detect vulnerabilities in code. Meanwhile, a WAF perceives an application as a black box, so it uses heuristics for attack detection. This state of affairs makes VP sub-optimal for preventing attacks when the exploitation conditions for a vulnerability go beyond the trivial http_parameter=plain_text_attack_vector.

But what if we could make SAST and a WAF "play nice" with each other? Perhaps we could obtain information about an application's internal structure via SAST but then make this information available to the WAF. That way we could detect attacks on vulnerabilities in a provable way, instead of by mere guessing.

October 20, 2017

How-To: Obtaining Full System Access Via USB


Debugging mechanisms like JTAG (IEEE1149.1)  first appeared in the 1980s . Over time, microchip vendors extended the functionality of these interfaces. This allowed developers to obtain detailed information on power consumption, find bottlenecks in high-performance algorithms, and perform many other useful tasks.

Hardware debugging tools are also of interest to security researchers. These tools grant low-lev el system access and bypass important security protections, making it easier for researchers to study a platform's behavior and undocumented features. Unsurprisingly, these abilities have attracted the attention of intelligence services as well.

A major flaw in a popular encryption library undermines security of millions of crypto keys



An international IT security team of researchers from Britain, Slovakia, Czech Republic, and Italy found a critical vulnerability in the popular encryption library RSA Library v1.02.013 by Infineon. Weak factoring mechanism results in attackers obtaining secret crypto keys and using them for data breach and theft. 

This vulnerable library is used to ensure security of national ID maps in various countries and in most popular software products that are used by both government and businesses.