A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


A Bug or Malware? Catastrophic consequences either way. - Benjamin Holland and Suresh Kothari Derbycon 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

A Bug or Malware? Catastrophic consequences either way.
Benjamin Holland and Suresh Kothari
Derbycon 2014

We live in an age of software problems with catastrophic consequences. An extra goto in Apple‰'s SSL implementation comprised certificate checks for the better part of a year. An erroneous integer conversion in the Ariane 5 launch destroyed the European Space Agency rocket and its cargo valued at 500 million dollars.Often the problem is just a few lines of code and looking for it is like searching for a needle in the haystack. Moreover the problems are often so subtle that it is difficult to tell if the problem is intentionally malicious or an honest mistake. The traditional approach to malware detection fails to detect such catastrophic problems. To make matters worse, the problem can remain dormant and can easily evade testing. The recently exposed Heartbleed problem in OpenSSL has existed since 2011.It is an open challenge to discover these subtle but catastrophic problems in software. In this talk, Iowa State University researchers involved with DARPA’s Automated Program Analysis for Cybersecurity (APAC) project will discuss their approach to address this challenge. This approach enables a unique combination of automated software analysis and human intelligence. The approach will be concretely demonstrated by its use to detect subtle problems in Android applications.

Note: Microphone was off for the Derbycon recording, but Ben sent me another version.

Back to Derbycon 2014 video list

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast