Exposing Hidden Exploitable Behaviors In Programming Languages Using Differential Fuzzing

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=ZFEA_IXhqlQ


Duration: 26:21
7 views
0

Black Hat - Europe - 2017 Hacking conference
Securely developed applications may have unidentified vulnerabilities in the underlying programming languages. Attackers can target these programming language flaws to alter applications' behavior. This means applications are only as secure as the programming languages parsing the code.

A differential fuzzing framework was created to detect dangerous and unusual behaviors in similar software implementations. Multiple implementations of the top five interpreted programming languages were tested: JavaScript, Perl, PHP, Python, and Ruby. After fuzzing the default libraries and built-in functions, several dangerous behaviors were automatically identified.

This paper reveals the most serious vulnerabilities found in each language. It includes practical examples identifying which undocumented functions could allow OS command execution, when sensitive file contents may be partially exposed in error messages, how native code is being unexpectedly interpreted – locally and remotely – and when constant's names could be used as regular strings for OS command execution.

The vulnerabilities, methodology, and fuzzer will be made open source, and the accompanying talk will include live demonstrations.


Presenters:
Fernando Arnaboldi - Senior Security Consultant, IOActive
Fernando Arnaboldi is a senior security consultant at IOActive specializing in penetration testing and code reviews on multiple platforms. He is experienced in a variety of programming languages and has presented in the past in security conferences such as Black Hat USA, DEF CON and OWASP AppSec USA.
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2021-12-21Abusing Google Dorking and Robotstxt Dave Comstock fixed by Frank Trezza
2021-12-21Abusing Google Dorking and Robotstxt Dave Comstock
2021-12-21APT What the heck is an APT Bill Barnes
2021-12-21Securely Deleting Data from SSDs Stephen Larson
2021-12-21Strange times we live in Alexander Muentz
2021-12-21Technological Changes that Affect Forensic Investigations Diane Barrett BloomCon - 2017
2021-12-20Breaking Bad Stealing Patient Data Through Medical Devices
2021-12-20Fed Up Getting Shattered and Log Jammed A New Generation of Crypto Is Coming
2021-12-20The Apple of Your EFI An Updated Study of EFI Security
2021-12-20Locknote Conclusions and Key Takeaways From Black Hat Europe 2017
2021-12-20Exposing Hidden Exploitable Behaviors In Programming Languages Using Differential Fuzzing
2021-12-20Exfiltrating Reconnaissance Data from Air Gapped ICS SCADA Networks
2021-12-20Key Reinstallation Attacks Breaking the WPA2 Protocol Black Hat - Europe - 2017
2021-12-20Self Verifying Authentication A Framework For Safer Integrations of Single Sign On Services
2021-12-20Jailbreaking Apple Watch Black Hat - Europe - 2017
2021-12-20BlueBorne A New Class of Airborne Attacks that can Remotely Compromise Any Linux IoT Device
2021-12-20Automating Incident Response
2021-12-20Detach Me Not DoS Attacks Against 4G Cellular Users Worldwide from your Desk
2021-12-20Mobile Espionage in the Wild Pegasus and Nation State Level Attacks
2021-12-20Real World Post Quantum Cryptography Introducing the OpenQuantumSafe Software Project
2021-12-20Backslash Powered Scanning Hunting Unknown Vulnerability Classes


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
fraud
malware
secure
identity
criminal
phishing
software
access
safety
theft
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering