Lessons From Two Years of Crypto Audits

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=1tTfkXYdjQU


Duration: 45:50
14 views
1

Jean-Philippe Aumasson | , Kudelski Security
Location: Jasmine
Date: Wednesday, August 7 | 2:40pm-3:30pm
Format: 50-Minute Briefings
Tracks: Cryptography, Security Development Lifecycle

Over the last two years, we've completed many successful crypto audits. These audits consisted of mostly paid engagements but also unsolicited ones, as well with a mixture of blockchain projects as well as good old cryptography. We've worked for major blockchain organizations and have seen the most complex crypto protocols ever deployed at scale, which is really exciting but at the same time terrifying—what if there's a critical bug that could compromise the entire network? What if we as security auditors miss something? Questions like these loom over anyone performing an audit. There is no shortage of places things can go wrong, bugs in source code, protocol defects, incorrect implementations, and the list goes on.

In this talk we'll first describe some of the most interesting security issues we've found (at least the ones we're authorized to talk about), then we'll focus on the risks associated with one of the most popular memory-safe languages, namely Rust. We'll describe a list of sanity checks and security best practices that we use internally when auditing Rust code, along with examples from real Rust audits. Finally, we'll draw some lessons from our experience, providing advice to fellow security auditors and developers, to get the most out of a security audit.

Black Hat - USA - 2019
Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-09Improving Mental Models of End to End Encrypted Communication
2022-01-09Hacking the Supply Chain The Ripple20 Vulnerabilities Haunt Tens of Millions of Critical Devices
2022-01-09Industrial Protocol Gateways Under Analysis
2022-01-09A Little Less Speculation, a Little More Action Deep Dive into Fuchsia's Mitigations for CPU Side
2022-01-09Demystifying Modern Windows Rootkits
2022-01-09Hacking the Voter Lessons from a Decade of Russian Military Operations
2022-01-09Detecting Access Token Manipulation
2022-01-09About Directed Fuzzing and Use After Free How to Find Complex & Silent Bugs
2022-01-09iOS Kernel PAC, One Year Later
2022-01-09Healthscare An Insider's Biopsy of Healthcare Application Security
2022-01-08Lessons From Two Years of Crypto Audits
2022-01-08PicoDMA DMA Attacks at Your Fingertips
2022-01-08Rough and Ready Frameworks to Measure Persistent Engagement and Deterrence
2022-01-08WebAuthn 101 Demystifying WebAuthn
2022-01-08Look, No Hands The Remote, Interaction less Attack Surface of the iPhone
2022-01-08Playing Offense and Defense with Deepfakes
2022-01-08Woke Hiring Won't Save Us An Actionable Approach to Diversity Hiring and Retention
2022-01-08Securing Apps in the Open By Default Cloud
2022-01-08Making Big Things Better The Dead Cow Way
2022-01-08Women in Security Building a Female InfoSec Community in Korea, Japan, and Taiwan
2022-01-08Securing the System A Deep Dive into Reversing Android Pre Installed Apps


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
password
web
concept
protection
network
scam
fraud
secure
criminal
phishing
software
access
safety
system
firewall
communication
business
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Jean-Philippe Aumasson
crypto
audit